How should SMBs navigate the phishing minefield?

In this Help Net Security interview, Pete Hoff, CISO at Wursta, offers advice to SMB security leaders and professionals on how to minimize the threat phishing presents to their organization’s operations and long-term success.

[Pete Hoff’s answers have been edited for clarity.]

What makes phishing attacks particularly challenging for small and medium-sized businesses?

The most complicated aspect of any crisis affecting a small or medium-sized business is that they are generally equipped with fewer resources than larger corporations. Whether it be a less experienced security capability, smaller headcount, smaller budget, and so on, fewer resources make everything a little trickier.

SMBs often have fewer cybersecurity guardrails in place due to a lack of informed leadership and lack of funds. This not only heightens their vulnerability to phishing attacks but also makes it more difficult to clean up the mess after an attack.

While a small business is less likely to make national headlines for falling victim to a phishing attack, there are still plenty of large-scale, long-term obstacles SMBs will face. For instance, a smaller organization only serving a couple hundred customers may encounter a breach of sensitive company data. This organization is more vulnerable to revenue loss and a lack of customer retention – a problem that larger corporations are less concerned about. In the same vein of revenue loss, if a phishing attack is focused on fraudulent wire transfer information, money could be mistakenly transferred to a cybercriminal.

In addition to tangible losses like this, irreparable damage to a small business’s reputation can also be a result of a phishing attack.

What are some common tactics that cybercriminals use in phishing attacks targeting cloud-based services and SaaS offerings?

A couple of frequently used forms of phishing attacks are password resets or threats of loss of services due to a licensing lapse. Oftentimes, phishers attempt to replicate a cloud services website to capture a user’s password. This is done by mimicking a company’s IT department requesting an urgent change of a password.

Another method of phishing attacks that we often see involves overpayment. Cybercriminals disguising themselves as customers will “mistakenly” overpay for a good or service, and then request that the company pay the difference back. When the original check they sent inevitably bounces, the organization is out however much money they sent back to the scammer in addition to the money already spent from the initial transaction. Similarly, if a hacker can gain access to company emails, they can commandeer emails from real customers and change the banking information to their own, causing payment to end up in the wrong hands.

Of course, we just saw the alarming Microsoft Teams phishing attack, which was a result of threat actors compromising SMB-owned customers and creating their own new domains. From there, the hackers shared messages that persuaded real users within the organization to approve multi-factor authentication checkpoints.

What are some cost-effective cybersecurity measures that can significantly reduce the risk of falling victim to phishing attacks? Which technological solutions and controls should companies implement, and how?

In 2023, cybersecurity is simultaneously more accessible and complex than ever. Because of the complexity of the current threat landscape, more advanced solutions have increasingly become available to organizations that may have assumed they didn’t have the resources to devise a strong cybersecurity strategy.

Google’s version of a zero-trust model, BeyondCorp, does a nice job of educating on some of the best ideas and practices from its vast community of customers. Tools like this enable organizations to shift access controls from the network perimeter to individual users and enable secure work from virtually any location without the need for a traditional VPN. Specifically, the practice allows for single sign-on, access control policies, access proxy, and user and device-based authentication and authorization.

A risk assessment based on, for example, the National Institute of Standards and Technology Cyber Security Framework (NIST CSF), is another cost-effective way for an organization to maintain a good cybersecurity posture. After the analysis takes place, a roadmap is created to help the organization reach their cybersecurity goals with the resources available to them.

Additionally, Google recently announced its version of a passwordless login, using passkeys (i.e., fingerprints and face ID), which are a way to make password compromise a non-problem.

Even with access to the tools above, SMBs often lack the expertise to implement them and monitor their systems to ensure security. That is where a virtual CISO can help: For a fraction of the cost of a full-time CISO, SMBs can get a similar level of security expertise to stay ahead of persistent threats.

To minimize the danger of phishing, how can businesses create a culture of skepticism and caution among their employees? If they implement simulated phishing campaigns, how can they avoid eroding employee trust in the company? How can businesses make training programs more effective?

Instilling a culture of hypervigilance within an organization will prove critical as we continue to see an increasing threat horizon. From my point of view, if a business is allocating time to educate their employees on the dangers of data compromise and how to avoid them, simulated phishing attacks won’t erode trust. Instead, employees will get to a point where they no longer think twice about a questionable request and will be confident in their ability to sidestep a threat.

A company that wants to take a serious approach to cybersecurity should have rigid employee training and processes in place to avoid falling victim to attacks like phishing. Phishing awareness training is a practice commonly utilized among organizations that handle sensitive data.

Something I strongly advise companies to do is re-evaluate the internal communications channels they use. For example, keeping communications to one specific platform can help employees streamline legitimate email requests from falsified ones. Similarly, an employee who is rarely or never in communication with the CEO should immediately suspect that a rogue email request from the CEO is fishy. Before making any moves, the employee should instinctually notify their manager and consider contacting the CEO from a different channel or platform to verify the legitimacy of the request.

In the event of a successful phishing attack, what are the recommended steps for an organization to conduct a thorough post-incident analysis, learn from the experience, and enhance their security posture moving forward?

After a successful phishing attack on an organization, it’s expected that many daily operations will shift and there will be new procedures and rules put in place. After an attack of any kind, there will likely be a period of “down time,” where an organization will instill a service interruption while they remediate and get back on track. The potential for down time, which can result in stunted customer service, loss of revenue, etc., emphasizes the need for a business continuity (BC) plan.

The purpose of a BC plan is to ensure organizations have strong backup plans enabling them to continue operations and avoid the bulk of that down time after an attack.

For smaller organizations with fewer resources, we recommend they utilize a streamlined and lean approach involving the creation of accounts and the allocation of identities.

Business with a larger cybersecurity budget can implement a slightly more complex plan, in which they can sync email and document repositories for a 30-day span, including complete email archives.

For the most ambitious companies, their ideal BC plan might consist of syncing their key data regularly (i.e., all email history), with more tailored practices woven into the plan. This approach is what we recommend all our customers work toward even if they’re not currently equipped to incorporate it.

As a bonus, business continuity plans are a solid way to lower an organization’s cyber security insurance premiums.

Beyond immediate financial losses, what are some indirect costs and long-term consequences that a business might experience after falling victim to a phishing attack, and how can they proactively manage these impacts?

There are several ways a phishing attack can directly affect an organization (in addition to the immediate financial losses). Companies that fall victim will likely spend more time, energy, and money than anticipated cleaning up the mess.

Some additional consequences I’ve seen throughout my decades of work in the cybersecurity industry are:

• Disruption of day-to-day operations (resulting in additional financial losses) as IT teams work to get everything secure and running smoothly again
• Stolen intellectual property and proprietary information for companies working hard to maintain a competitive edge
• Increased cost of insurance premium for the organization following a claim
• Reputation damage and loss of long-term customer trust
• Legal and regulatory issues, depending on the type of data compromised, including class action lawsuits

Something many leaders fail to realize – until it’s too late – is that a phishing attack can also have a long-term effect on employee morale. Unexpected cyberattacks have the tendency to send executives and managers into a frenzy, which often trickles down throughout the entire company. It’s critical for managers to lead with empathy and prioritize company culture and values to keep morale high.

It will be increasingly imperative that leaders keep both short and long-term risks at the forefront of cybersecurity conversations.

What emerging trends or developments do you foresee in the world of phishing attacks, and what proactive steps can SMBs and SMEs take to stay resilient against these evolving threats?

In general, the number one thing business leaders should be vigilant about when it comes to their cybersecurity strategy is the constant emergence of new technologies. With new tools like AI, and more organizations moving their operations to the cloud, comes new landscapes for hackers to compromise.

It’s important for business and technology leaders to keep their ear to the ground on emerging and growing threats that other organizations might be falling victim to. One of the easiest ways to ensure your organization is secure is to learn from other’s mistakes.

The weakest link in all security will be the human in front of the keyboard. Educating users on new and emerging attacks helps to reduce the impact of phishing as well.

For businesses looking to improve education and processes to protect against phishing attacks, they should start with a risk assessment as a first step. Risk assessments, when completed proactively, can prevent security breaches or loss of data by identifying potential risks and vulnerabilities ahead of time. It allows companies to stay informed about their security status and provides endless plans for beefing up their strategy, no matter how limited their resources are.