Kenneth Ellington on The One Cybersecurity Issue Most Businesses Get Wrong

As soon as the internet became widely available, bad actors found ways to misuse it for criminal gains. Phishing scams were first documented in the mid-1990s. Decades later, phishing remains one of the most prevalent cybersecurity threats today. 

Cybercriminals often target businesses to gain access to a wealth of client information, financial details, and valuable business data. Small to medium-sized companies are at particular risk because they typically have fewer resources, which usually means fewer cybersecurity protections and undertrained employees.

Phishing attacks can subject a company to financial losses, operational disruptions, and irreparable reputational damage. Considering the well-known scope and effects of phishing scams, one would assume that most companies know exactly how to avoid falling victim. But unfortunately, phishing is one of the cyber threats that businesses often underestimate, causing themselves preventable harm.

With insights from Kenneth Ellington, founder of Ellington Cyber Academy, we’ll discuss types of phishing attacks, why they target businesses, and how small and midsized companies can protect themselves from phishing scams.

Types of Phishing Attacks

“Phishing” is an umbrella term covering various similar but distinct cybercrimes. The most common types of phishing attacks include:

• Email phishing: In the traditional form of phishing, attackers send mass emails to trick recipients into handing over their private details, including sensitive login information.
• Spear phishing: These targeted phishing attacks focus on specific organizations, sometimes even particular individuals within them.
• Whaling: Criminals send fraudulent emails to company executives or other top-level business targets, hoping to catch “the big one.”
• SMS text message phishing (“smishing”): In smishing attacks, cybercriminals use fake text messages to deceive recipients.
• Voice phishing (“vishing”): Vishing is a type of social engineering attack that is conducted over the telephone.
• Angler phishing: Attackers use social media platforms to impersonate legitimate brands’ customer support or even fellow users, often offering help with an issue, to obtain sensitive data.

But why are businesses so quickly targeted by these various phishing scams?

Why Phishing Scams Target Businesses

Criminals, including those operating in the cyber realm, frequently target the individuals or organizations most likely to yield lucrative results. Phishing scams often target businesses, especially smaller or mid-sized ones, for reasons such as:

• Lack of cybersecurity training and awareness
• Limited cybersecurity infrastructure
• Financial and data theft

Here’s a more in-depth explanation of these phishing scam motivators.

Lack of Cybersecurity Training and Awareness

Inadequate security awareness training — particularly a lack of knowledge about phishing scams — makes a company’s employees more susceptible to these attacks. A lack of cybersecurity training and awareness leaves a gap in the company’s security defenses that cybercriminals can exploit, potentially gaining access to sensitive customer or company data. 

Even the pros can get tripped up during a perfect storm of circumstances. 

Kenneth Ellington admits, "I once fell for a phishing email at my own company because I was too busy to pay attention — despite my job being to prevent these things. If it can happen to me, it can happen to anyone."

Limited Cybersecurity Infrastructure

Attackers see businesses with insufficient system security measures as prime targets for phishing scams. Outdated systems, inadequate employee training, and weak password requirements essentially advertise to cybercriminals that the company and its employees are easy targets. With little effort, scammers can bypass the company‘s network security protocols and access sensitive data. 

Financial and Data Theft

Companies are attractive targets for phishing scams because they usually possess valuable data, customer details, intellectual property, and financial records. Criminals covet this information for identity theft, fraudulent transactions, or sale on the dark web. They can also seize control of the company’s data and refuse to release it until they receive payment as ransom.

How Small-to-Medium-Sized Businesses Prevent Phishing Scams

Thanks to their seemingly endless resources, large businesses and megacorporations are typically better equipped to protect themselves from cybercrime. That doesn’t mean smaller and mid-sized companies are helpless, however. 

Taking some strategic measures can help these organizations guard their priceless data, including:

• Employee training
• Regular system updates
• Utilizing cybersecurity tools

Let’s take a closer look at how these security measures help to protect businesses from cyberattacks.

Employee Training

“Typically, businesses rely on an IT personnel, if they even have one, who manages everything from servers and websites to payment processing. Adding cybersecurity responsibilities can be overwhelming, especially since not all IT professionals specialize in security,” says Ellington. 

A company’s IT staff isn’t solely responsible for data security. Every employee in the organization should receive training on how to detect and deflect cybercrime, including phishing scams. Educating employees on identifying and avoiding suspicious emails, links, text messages, and social engineering scams helps reduce the risk of human error leading to a catastrophic cybersecurity breach. 

Training promotes a security awareness culture that encourages employees to stay vigilant and take responsibility for protecting their company from cyber threats.

Regular System Updates

When a company frequently updates its system, software, and network, it addresses vulnerabilities and security flaws that attackers can use to exploit outdated software. Updates often include security patches that fix software weaknesses where criminals could exploit vulnerabilities and compromise systems or steal data. 

Keeping systems up-to-date helps to protect businesses from phishing scams and other cyberattacks. 

Utilizing Cybersecurity Tools

Cybersecurity tools use various methods to prevent attacks, including:

• Email filtering: Advanced email filters scan incoming emails for suspicious patterns and characteristics of phishing scams. They identify spoofed email addresses, unusual links, and deceptive requests. By blocking malicious emails before they reach users’ inboxes, these tools reduce the likelihood of successful phishing attacks.
• Link analysis: Targeted anti-phishing software analyzes links within emails to determine if they lead to harmful websites or deceptive login pages. This helps prevent users from clicking on malicious links.
• Advanced threat detection: Advanced anti-phishing programs use algorithms and machine learning to analyze behaviors and patterns indicating phishing scams. This teaches them to identify and block phishing attempts.
• Anti-malware integration: Anti-phishing tools and anti-malware software join forces to scan emails and attachments for dangerous content. Malicious code or files within emails never reach the end user.
• Multi-factor authentication (MFA): MFA adds an extra layer of security to login processes by requiring users to provide multiple types of identifiers, such as a password plus a code sent via text message. This extra layer can stymie attackers even if they have obtained passwords through successful phishing scams. 

Businesses should consider which tactic works best for them but it is needed to have one regardless of choice. 

Develop an Incident Response Plan

“Most small businesses don’t have a cybersecurity plan or even know what one is, which is a major issue. The worst time to plan for a disaster — whether a fire or a flood — is when it’s already happening, and you’re trying to escape,” adds Ellington. 

Cybercriminals frequently target smaller and mid-sized businesses due to the wealth of information they store, their often inadequate cybersecurity infrastructure, and the likelihood that their employee training on phishing scams and other cyber threats is insufficient or nonexistent. 

Even so, security and data breaches aren’t inevitable. With adequate employee training, regular system updates, and robust cybersecurity measures, companies can prevent phishing attacks from causing financial losses, disrupting operations, and damaging their reputations.

Still, best practice demands readiness for the possibility that a phishing scam or cyberattack could lead to a security breach. A cybersecurity incident response plan can be a company’s saving grace by minimizing an attack’s impact, maintaining business continuity, and protecting the organization’s reputation. A well-designed incident response plan enables faster incident detection, containment, and recovery.

About Kenneth Ellington, Founder of Ellington Cyber Academy

Kenneth Ellington is a cybersecurity instructor and a cyber threat hunter. He helps Cybersecurity Professionals and Organizations Strengthen Defenses, Build Teams, and Advance Careers.