A Security Life Vest May Be Needed

By: Donna Henson, CPA, CFE, CISA

Companies are not safe to go into global water without a security life vest. What makes phishing such a danger to businesses? It is simple in its purpose, complex in its attacks with a multitude of malware (malicious software) utilized, and costly in more ways than one to a company.

I know we have either been told or have read the “Do(s)” and “Don’t(s)” of suspicious e-mails or links to websites. The software utilized to cause great costs is the weapon, but the culprits are people. The attackers and the targets, both are to blame. The attackers are relying on fast paced environments and the people who must manage multi-tasking, all the while, trying to remember to maintain security. The attackers use the tactics of social engineering and subterfuge all too well in today’s corporate environment.

Together, these schemes usually request action from the recipient such as disclosure of key information or deliver malware that can be used to re-direct people from legitimate websites to counterfeit sites or if a corporate system is compromised, the malware can launch more attacks. Once malware is delivered into a corporate network, attackers will have the keys to the kingdom by “shoulder-surfing” (as if they were right behind you, watching you type in your User ID and password) until they have located an “in” that provides access to sensitive data and acquire it.
According to a July 6, 2015 post by HealthITSecurity that refers to a Coalfire White Paper1, research conducted identified a phishing attack every minute with total global cost of $4.5 billion in losses in 2014. It goes along to note the US has seen an estimated $655 million in losses with 72% of the global attack volume centered on the US.

Going back to the “Do(s)” and “Don’t(s)”, the best way to limit the chances of your organization from being breached is your commitment to training on procedures to follow, communicate the consequences of failing to comply and demanding accountability from personnel. Make these procedures part of the day to day tasks so they become second nature. You can’t train e-mails, websites or software, but you can train the people who use these communication applications.

If you have any questions or would like to learn more about how to protect yourself from these situations, please contact the Shinn & Co team at info@shinnandcompany.com or call 941.747.0500.