The FBI calls successful phishing a Business Email Compromise (BEC) and has logged about 7,000 such events since 2013. The average loss was $130,000.
With strengthened email security, an IT department can make things harder for phishers, because the users will be confident that email is from a sender who’s known to be trustworthy (or not) and treat email appropriately. Preventing one phishing effort could save your organization $130,000. Here are 5 tips on how to do it:
1. Have a password policy
Preventing the theft of email accounts starts with good passwords, and good passwords do not happen by themselves. The IT department must enforce basic standards. These include:
- Minimum length (12 characters is now common.)
- Minimum complexity (they must include upper and lowercase, numeric, and special characters.)
- They must be changed at intervals.
Do not use a password generator—require users to come up with their own passwords. It’s better to have each user be a potential source of personal exposure than have a central piece of software that’s a potential source of enterprise-wide exposure.
Rigorous password requirements will probably also push the users into having unique passwords at work and at home, assuming that is not already required by your organization. If they are using the same passwords at home (for gaming and social media) that’s dangerous, since the password lists of online services are a major hacker target.
2. Encourage creativity
Behind the passwords are the security questions, used to establish ownership of an account if the user forgets the password. It’s common to ask the name of the user’s first car, mother’s maiden name, town of birth, favorite pet’s name, etc. Unfortunately, there is not a huge number of automotive brand names in circulation, and other facts can often be mined from Facebook, altogether making the hacker’s task easier than it should be.
But nobody has to give straight answers. The only requirement is that the user remembers what the answer is, and the more creative the answer, the more likely the user is to remember it—and for a hacker to be unable to guess it.
So spread the word—if that first car was a white elephant, they should consider putting down White Elephant. If it was the faster than any of their friends’ cars, try Millennium Falcon. If it spent more time in the shop then on the road, try Hangar Queen.
3. Kill unused accounts
Unused email accounts are playgrounds for hackers. The best way to prevent them from falling into the wrong hands is to have none. Close the accounts of employees when they separate from the enterprise. Make sure that no one has multiple accounts without good reason.
Meanwhile, encourage all staff members to do something similar: close all their unused online accounts. That will leave less personal data online that a hacker could stumble across and use to establish credentials.
4. Strengthen the “human firewall”
The effectiveness of phishing emails depend on the reactions of the people reading them. If an enterprise’s office staff have no security training or awareness, they may think it’s reasonable to get emails from a traveling boss, using an unknown account, with a directive to send millions to a previously unknown third party. Or barring that, to send credit card information to get a mysterious package unstuck from a previously unheard of customs warehouse in Hong Kong.
If the human firewall is weak, emails like those can trigger another BEC and cost your enterprise $130,000 on average. If it is strong, someone will press the Delete key.
5. Allow only trusted email to arrive
If only email from trusted sources is allowed to arrive, phishing, and other security concerns connected to email, goes away. Email from other sources still arrives, since you don’t want to be cut off from the outside world, but it’s not trusted.
That’s the Sendio way. By controlling the source of email, through techniques like a Sender Verification Process and Silverlisting™, unsolicited email will not arrive in a trusted fashion, and can never turn your organization into another BEC statistic.
You can request a demo to see just how effective it can be in keeping your organization safe.
