Are you a sitting duck? How to test the impact of phishing on your organisation
Phishing is a growing problem. As protections become more sophisticated, so do the threats. With a high level of user training and technical protection, you can keep up with the perpetrators, but how vulnerable are you really? With simple tools built into Microsoft 365, you can test the impact of phishing on your organisation.
The trend is clear. Attempts to access users' account details using fake emails continue to increase. The services that protect us from online fraud are becoming more sophisticated, but so are the threats. As scammers are constantly finding new ways, you are easy prey if you lack adequate protection.
Many companies know they need to improve security, but because they don't know where to start and don't want to make it too difficult for users, they choose to take a risk. All too often, the starting point for improving security is an incident. Instead of rolling out security solutions gradually and letting users get used to them, they are forced to make costly investments and radical changes in a short period of time.
Research shows that almost all companies have leaked user accounts and passwords even if they don't know it themselves, and with a bit of bad luck it can be a costly story. To find out how email fraud can happen, read this article. For example, account details can be used for fraud, data theft or to take a user's computer hostage (ransomware). If the hacker manages to get off the user's device and onto the corporate network, things can get really bad.
Training is as important as technical protection
It's easy to dream of 100% protection that blocks all account hijacking attempts, but such a solution is impossible to achieve without sacrificing usability and productivity. Modern people want to be able to work from their home computer, check their email on their mobile phone and be on the move. In such a world, a certain level of security awareness will always be required. On the other hand, we don't want employees to have to spend too much of their working day assessing whether their emails are potential security risks. It is best to strike a balance between educating users and using technical protection that can step in if something goes wrong.
Net fishing for knowledge gaps in your organisation
If you are curious to know how an attempt at phishing would affect your organisation, there is actually a possibility to test. Microsoft 365 has a built-in feature to send out fake scam emails with the aim of surveying users' skill levels. The message sent out looks like a scam email but instead of hijacking the user's account information, it maps how many people have opened it. It's not about blaming those who click. Instead, the tool is meant to be used to see if there is a need for training in the organisation. If many people click, an appropriate measure might be to organise a security workshop where employees learn how to recognise and report fraud attempts.
ATP - advanced protection using AI and machine learning
The level of user education is important, but you also need technical protection that can at best prevent you from hitting that link. As a Microsoft Cloud Services user, you always have some protection against mass mailings and fraud, but it's only in Microsoft 365 Business that you automatically get access to more advanced protection in the form of Advanced Threat Protection (ATP). ATP is an industry-leading protection that uses AI and machine learning, among other things, to recognise and stop attempts to collect personal data.
Help, I've entered my account details where I shouldn't!
If disaster strikes and an employee has entered their name and password into a form, other Microsoft 365 features will step in to minimise the damage, provided you've made the right settings based on the level of security your business requires.
Because the system has learned how users work with their accounts, how they log in and how much files they share, it will react when a user does something that breaks the norm. If you rarely leave Sweden but suddenly log on in Denmark, suspicion is raised. If you then log in to China an hour later, the system will, if you have made the right settings, require two-step verification or even lock the account. The information about your users' movements is already there. It's up to you as an IT strategist or CDO to decide what to do with it and what level of security you want. A good tool to test your security settings and illustrate shortcomings is Microsoft's Secure Score tool, which evaluates your IT environment based on a point scale.
Your security solution is a commodity
With a high level of training, the right security settings and a system like ATP that hopefully steps in when someone makes a mistake, you can sleep relatively well at night - but unfortunately you're not done there. As phishing attacks increase and become more sophisticated with each passing week, you'll need to regularly update both your technical and knowledge skills. Those companies that invest in security on an ongoing basis more or less hold their own against the scammers. Those who do nothing fall behind and put themselves at great risk.
If you want to find out how secure your current IT environment is, we at WeSafe can help you perform a free security assessment and get concrete tips and recommendations on what you can do to protect yourself against phishing and other fraud attempts. As your IT partner, Wesafe can then help you perform tests, audit your IT environment and suggest solutions based on the features available in your Microsoft 365 licenses.