PKF North America News

Home News Feed Article

Have a question?

Cybersecurity Training Alone is Insufficient to Prevent a Phishing Attack by Brandon Bowers

2024-07-08

Phishing scams and business email compromises (BECs) continue to make headlines, holding the titles as the most common cybersecurity breach method and the most frequently reported crimes to the FBI’s Internet Crime Complaint Center (IC3). Yet, even as businesses step up efforts to help employees learn to recognize the warning signs of these attacks, criminals […]

The post Cybersecurity Training Alone is Insufficient to Prevent a Phishing Attack by Brandon Bowers appeared first on Berkowitz Pollack Brant Advisors + CPAs.

Phishing scams and business email compromises (BECs) continue to make headlines, holding the titles as the most common cybersecurity breach method and the most frequently reported crimes to the FBI’s Internet Crime Complaint Center (IC3). Yet, even as businesses step up efforts to help employees learn to recognize the warning signs of these attacks, criminals are often one step ahead, developing newer, more sophisticated and elaborate schemes that are increasingly difficult to detect. In this environment, employee training alone is not enough to protect a business from a breach. Additional layers of security are required.

In a phishing attack, criminals impersonate a trusted person or entity, including victims’ own coworkers and business partners, to trick their targets into sharing sensitive information, such as private business records, the personally identifying information of employees and customers and even credentials for network access. The bait, which victims can receive via email, text message or phone call, appears to come from someone the recipient knows and includes an urgent request for payment or other sensitive information that criminals can then capture and use to exploit network vulnerabilities. Victims may also be lured into opening an attachment or clicking on a link that ultimately downloads malware or holds the organization’s entire digital and cyber network hostage.

Cybersecurity awareness training is critical to help businesses educate their staff and improve the odds that they will not fall victim to a phishing scam. However, there are no guarantees that your busy employees will always recognize the warning signs of a phishing attempt and avoid taking scammers’ bait. According to several studies, 74 percent of all cybersecurity breaches are caused by human error[1][2], and more than 66 percent of companies believe that their employees are putting their organizations at risk through the misuse of email, oversharing company information on social media and careless web browsing.[3]

The fact is that there is not one silver bullet that can protect businesses from the growing risks of phishing attacks. Instead, companies of all sizes must employ a multi-pronged approach to cybersecurity that includes strong policies, mandatory threat training and a robust security system that may consist of the following elements:

  • Establish strong password policies that require employees to use unique and complex passwords.
  • Adopt a password management tool to help employees remember all their unique login credentials.
  • Use two- or multi-factor authentication (MFA) to grant employees access to company systems, software and apps.
  • Reinforce your defenses with firewalls and intrusion monitoring, detection and response/prevention solutions.
  • Employ advanced phishing protections, such as spam filters and advanced anti-phishing systems, that can protect your systems by detecting real-time threats
  • Routinely scan your systems for vulnerabilities and conduct regular penetration tests.
  • Backup critical data to help you restore systems quickly after a data breach.
  • Develop, implement and regularly update an ongoing training program to improve employees’ cybersecurity awareness and educate them to recognize the warning signs of a phishing attack.
  • Develop and regularly test a companywide incidence response plan (IRP).

About the Author: Brandon Bowers is director of Managed Cyber Security Solutions with Berkowitz Pollack Brant Advisors + CPAs, where he provides businesses, professional services firms and family offices with business continuity and recovery, cybersecurity and fully outsourced help desk services. He can be reached at the CPA firm’s Ft. Lauderdale, Fla., office at (954) 712-7000 or info@bpbcpa.com.

[1] Mimecast Human Risk and AI Framing the Future, 2024 State of Email & Collaboration Security

[2] Verizon 2024 Data Breach Investigations Report

[3] Mimecast Human Risk and AI Framing the Future, 2024 State of Email & Collaboration Security

The post Cybersecurity Training Alone is Insufficient to Prevent a Phishing Attack by Brandon Bowers appeared first on Berkowitz Pollack Brant Advisors + CPAs.