The EU Cybersecurity Month (“ECSM”) is the EU’s annual awareness campaign that takes place every October across Europe. Through this initiative, European institutions aim to raise awareness about cybersecurity threats, promote mitigation action and share good practice.
CMS Belgium fully supports this campaign. We are a proud partner of the Centre for Cyber Security and the Cyber Security Coalition for Belgium’s national campaign on phishing. As phishing is the most common entry point for ransomware, this type of cyberattack is a significant threat for enterprises, in terms of both financial impact and productivity loss.
The ECSM represents a good opportunity for practising your cyber-hygiene. This article provides you with tips and tricks on how to identify and avoid phishing.
Remote or hybrid working environments
make it harder for IT teams to prevent security incidents (including data
breaches) caused by malicious email attacks. Indeed, companies are constantly subject
to sophisticated phishing attacks, with targeted campaigns that use clever
social engineering tricks to gain access to your most confidential data.
Unfortunately, it is easier to
hack a remote employee than someone sitting inside your corporate environment. As
a result, companies need to adapt their security risks and find new ways to protect
their dispersed workforce from phishing attacks. This article provides you with
tips and tricks on how to identify and avoid phishing.
What is phishing?
Phishing is a fraudulent attempt
to steal user data such as login credentials, credit card information or even
corporate money using social engineering techniques. Email remains the primary
business communication tool in most organisations. The perpetrators are fully
aware of this and are able to use email as a gateway into a business.
This type of attack is usually
launched via an email that appears to be sent from a reputable source, with the
intention of persuading an employee to open a malicious attachment or click on
a fraudulent URL (for a compromised website containing ransomware).
This type of cyberattack will
often appear modern and contemporary, its forms changing and adapting, making
phishing emails appear more and more real. It is important to be cautious and
aware that cybercriminals knowingly use methods based on fundamental and basic
human emotions and traits such as fear, trust, curiosity, habit, secrecy,
urgency and flattery to obtain company (sensitive) data.
Entry point for ransomware attack
Phishing attacks are one of the
most popular entry points for starting ransomware attacks. It is malicious
software that infects a computer and restricts users’ access to it until a
ransom is paid to unlock it.
All organisations are at risk of
falling victim to a ransomware incident and are responsible for protecting
sensitive and personal data stored on their systems. Such an attack can have
negative consequences, including temporary or permanent loss of sensitive or
proprietary information; disruption to regular operations; and financial losses
incurred to restore systems and files.
Impact and risk – why does it
Phishing is the number one threat
for companies and can be extremely expensive.
Indeed, many successful phishing
attacks lead to substantial losses in productivity for the target organisation,
which, in turn, may impact the organisation’s reputation.
Moreover, phishing is a tool used
to exploit networks, potentially resorting to blackmail, identity theft,
extortion, acquiring information selling sensitive data and secret information,
Finally, your company will also
have to maintain its compliance with data protection law, including notifying
the competent supervisory authority.
Make your staff aware
Cybersecurity awareness training
is a key priority in a hybrid working environment. Enrolling your staff on
cybersecurity training or e-learning courses will lead to more highly skilled
employees who are unlikely to expose sensitive information. Campaign posters
are also great supplements to training courses. Simulating a phishing attack,
and monitoring how your staff respond, is also a good test.
Cybersecurity tips and tricks
Apart from installing anti-virus
and other computer defence software (such as strong spam filters), here are
some tips and tricks to identify and avoid phishing:
Think Before U Click! (the official motto of the ECSM campaign). Do not click on links or download attachments if you are not confident about the source of the email (the same applies for short links on social media).
If in doubt, it is always best to not click or download. Call and ask the sender.
Ask yourself these questions: Do I know the sender and am I expecting an email from them? Does it seem strange or inappropriate? Does it feel like the sender is trying to spark my curiosity?
Never send passwords, bank account numbers or other private information in an email.
Apply multi-factor authentication across the network, which can help stop intruders from breaching accounts (see our previous Law Now article).
Pay attention to the domain name. Where does the link lead? (A domain name is what precedes the “.com”, for example: “CMS.phishing.com” will lead you to “phishing.com” and not “CMS.com”.)
Identify and prioritise timely patching of vulnerabilities, as well as software.
Implement a cybersecurity policy detailing best practice for your employees to follow while hybrid working and ensure they take the necessary steps to keep your business information secure.
For more information on cybersecurity, please contact your usual CMS
advisor. Did you know our tech & data practice is recognised as tier 1
(best-in-class) by Chambers and Legal