In a recent blog, Cybersecurity: How to Maintain Cyber Insurance Coverage in Canada, we mentioned how an increasing number of Canadian cyber insurance companies are asking companies whether they are performing phish testing as part of their cybersecurity strategies.
There’s a reason that insurance providers are asking companies this question. It’s because phishing is now one of the most common cybersecurity threats for small and medium-sized businesses.In fact, according to the Verizon Data Breach Report, phishing is involved in 36 percent of all breaches, with 95 percent of business email compromise losses standing between $250 and $984,855 - the median loss was found to be $30,000.
To improve their protection against these cyber attacks, an increasing number of organizations will start using phish testing to highlight vulnerabilities and build prevention strategies.
In this blog, we take a look at what exactly phish testing is and why it should be an important aspect of your cybersecurity strategy. Before we get into what phish testing is, let’s first take a quick recap of what phishing attacks are.
What is phishing and why is it a cybersecurity threat?
Phishing is a cyber attack in which cybercriminals attempt to steal sensitive information through fraudulent communication that appears to come from a reputable source, often in the form of emails.
The goal of phishing is to trick the recipient into believing the message is from a reliable source and that urgent action needs to be taken. The scammer will guide the recipient to click a link or download an attachment that allows them to then steal sensitive information such as login details or credit card numbers.
This type of cyber attack is effective because the phishing message masquerades as a trustworthy individual or trusted entity.
What is phish testing?
The larger the business, the more difficult it can be to prevent phishing attacks from occurring. The most effective way to prevent phishing is by identifying areas of vulnerability within your organization and then educating staff on how to best identify phishing attempts.
That’s where phish testing comes in.
A phish test is a cybersecurity method used by an IT professional to create mock phishing emails or web pages that are sent to employees of an organization. This helps IT teams and cybersecurity professionals to identify gaps and vulnerabilities in their company’s defences, and then shore them up.
It also gives employees the opportunity to see and understand the different forms of phishing attacks and identifying features in a real but controlled environment. This helps companies to provide the appropriate training and best practices to their team, so that employees don’t fall prey to phishing attempts in the future.
Things to keep in mind when phish testing
Phishing tests can help an organization significantly reduce the vulnerability they have when it comes to phishing attacks, but it can also leave employees with a bitter taste in their mouth when done wrong.
Some employees may see a phishing test as a questionable tactic in the quest to improve cybersecurity measures, and feel that it may be unfair, unethical and unjust.
With that in mind, Harvard Business Review suggests three tips to keep in mind when conducting phish tests:
Interested in learning more about improving your cybersecurity strategy? Get in touch with OT Group today. Our IT solutions and cybersecurity experts have helped a large number of small and medium-sized businesses grow across Eastern Ontario, from the GTA to Ottawa.