Are you doing enough to protect your business from phishing?
That's the question we just asked 503 business owners. You see, we talk to a lot of people who aren't doing enough to protect their business from phishing attacks. We wanted to understand why.
Maybe they just don’t think it’s a major concern in their organization? Or maybe they think that they’ve protected themselves well enough that they don’t have to worry?
But phishing is an especially tricky threat. Most people don’t realize how incredibly convincing a well-done phishing email can be.
And the stakes are only getting higher. Now, 93% of phishing attacks lead to ransomware. We don’t think we need to tell you what a headache that is.
But here’s the thing: when it comes to phishing, do people know what they don’t know?
What type of people are the most confident in their phishing protection? What about the least?
And, most importantly, should the most confident people feel as secure as they are?
We decided to take matters into our own hands and find out, consolidating our results into a few surprising phishing facts.
We surveyed 503 small and midsized business owners with one simple question:
"Are you doing enough to protect your business from phishing?"
It may seem overly simple, but some of the results surprised us...
Most people just don't know.
Overall, the top answer to the question we posed was "I don't know."
This wasn’t surprising, since phishing is an especially slippery security problem. It makes sense that most people weren’t completely 100% sure that they were doing everything they could to protect themselves from phishing.
But there was more to it than that. We did a little more digging and started to break down our phishing facts by demographic.
First, we compared the answers down by gender.
To the surprise of absolutely nobody, women were more comfortable admitting when they didn’t know something.
Or maybe this gap could be explained by men generally spending more time tinkering around with computers?
Next, we looked at the data by age group. This one revealed some interesting findings.
Much to our surprise, people in the 65+ were most confident by far when it came to their phishing security.
While everyone hates a cynic, we can’t help but think that this is a prime example of the aforementioned “you don’t know what you don’t know” effect. The 65+ demographic has historically been the least technologically-literate age group (just 18% say that they would be comfortable learning new technology on their own). It seems unlikely that this age group would really have such a better handle on phishing prevention than any other. More likely, this is an example of 65+ business owners simply underestimating what it takes to prevent phishing.
Folks in their thirties and forties, on the other hand, are more aware of their own limitations. They seem ready to admit that they could be doing more:
Let’s take a look at how our phishing facts vary by region.
It looks like the Midwest and the Northeast are most unsure of themselves.
Plus, suburban and rural locations are much less confident one way or the other than their urban counterparts, who were far more likely to answer with a definitive “yes” or “no.” Maybe this is a byproduct of the stronger security communities that form in cities?
This one was one of our favorites. We compared answers by income level and found something especially interesting:
It turns out, people who earn under $25k or above $150k are the most likely to admit that they don’t know if their company is doing enough to prevent phishing. It seems like an odd matchup at first, but it makes sense when you think about it. Low earners are probably early in their career or have businesses that fall more on the “low tech” side of the spectrum, meaning that they don’t have to concern themselves much with computer security. The high earners are likely senior executives who have “people” to take care of these types of things for them.
Sure, there was variation. Some demographics were more or less confident than others. Interestingly, some of the most confident groups were also the ones who were least likely to actually having phishing under control (the 65+ age group comes to mind). But overall, most business owners simply don’t know if they’re doing enough to protect against phishing.
And you know what? That makes sense! Protecting against phishing is a incredibly difficult. You can never quite be sure that you’ve caught everything, even if you think you have.
That type of discerning uncertainty is normal. In fact, we would argue that it makes you a better, more secure business owner.
So, let’s take a look at a few things that you can do to prevent phishing in your organization:
It’s not enough to rely on your email provider to stop phishing for you. We’ve said it before and we’ll say it again: you need to be proactive in your security instead of leaving it to your service providers (this goes for web hosting, too). The first step in that is being discerning about which email provider you pick. Make sure that your email service has solid security and strong anti-spam features. We’re partial to Gmail, ourselves.
Multi-factor authentication is a simple measure, but it can be the difference between a safe email account and a security disaster. Pick an email provider that offers multi-factor authentication. It’s a must-have. Again, we’re fans of Google.
These services automatically check your email for shady business. They put another level of security between you and the big bad world of phishing scams. We use and recommend an excellent service called Proofpoint.
Periodically train your users. Show them recent phishing attacks and make sure they know what to watch out for. Better yet, sign up for a service that does simulated phishing (then you’ll know you have to direct extra training to Bob in accounting… good going, Bob). We offer training as part of our recommendations.
These positions are especially high-risk. More than $2.3 billion has been stolen from unsuspecting CEOs and finance teams.
Specifically those to sites that they don't recognize.
Make sure your staff knows exactly who they should call if they think they might have a phishing email message. The last thing you want is for them to forward it around to everyone, creating an even bigger security headache.
Keep your computers and software patched. Many phishing scams rely on vulnerabilities found in old, out-of-date systems. This goes for tons of other types of malware, too. In general, leaving your machines unpatched opens up ugly, dangerous holes into your organization.
Use a password management tool like LastPass to encourage your employees to practice good password habits. Most people use the same password everywhere, or have horrifically insecure passwords (ever wonder how often people use “12345” as a password?). Not only will it make your lives easier in terms of day-to-day convenience, but it will also mean that if one password is stolen through a phishing site, your employee isn’t inadvertently giving the hacker access to all of their passwords.
It's critical to take phishing seriously in your organization. Phishing attacks lead to data breaches and compliance problems.
Have questions or feedback? Please share them in the comments below.
Like this article? Share it!