You can’t read the news without hearing another discussion of a cyberattack crippling an unsuspecting company and impacting their ability to conduct business. It is well documented that over 90% of these attacks come from spear phishing. Whether it be through an unauthorized party gaining access to a network by convincing a user to turn over their credentials or ransomware launched to encrypt or disable an organization’s network, hackers are finding ways to bring organizations to a halt and management to its knees looking for solutions.

When we conduct spear phishing campaigns for our clients —an engagement designed to test a company’s spear phishing attack baseline —we use all information available to try and find a vulnerability which can be used to manipulate a user. Social media posts, press releases, and even information posted on the company’s own website can all be used to create a perfect campaign. In order to provide some insight into how to help management better prepare the company and its employees for these inevitable attacks, we’ve put together a brief DOs and DON’Ts list related to spear phishing.

• DO create a strategy to educate your employees on the risks of spear phishing and how to identify attempts. An educated employee is your best defense in avoiding a spear phishing attack.
• DON’T assume your company is safe because IT says it is. TRUST, but verify.
• DO perform periodic spear phishing campaigns to test your employees’ ability to detect and report a spear phishing attack. While training programs are important, testing the employees’ ability to detect a spear phishing attack will provide a baseline for risk and help the company refine their education program to address knowledge gaps.
• DON’T assume your spam filters are catching all the spear phishing emails before they reach your email box. Spear phishing attempts are getting more and more sophisticated and often can get through a spam filter.
• DO create an incident response plan in case you fall victim to a spear phishing attack. It’s not a matter of if you’ll have an attack…it’s when. Minutes of response time can be the difference between your company emerging relatively unscathed from an attack and a compromised network. Be prepared.
• DON’T assume your IT team can handle it on their own. Most IT organizations are built to keep the lights on and the company running, not respond to a sophisticated cyberattack. You want to make sure you can provide your IT team with a resource to help them respond to an attack.
• DO test your backups often for viability. A successful backup could be the difference between quickly bouncing back from an attack and a lengthy downtime for an organization. Test your backups at least quarterly to ensure they are viable.
• DON’T assume your backup solution is working as designed. More and more often, hackers who infiltrate a network are waiting in the shadows and corrupting backup solutions in advance of an attack to make it more likely that a company will pay the ransom once the cyberattack is launched.

If you’d like more information on how Citrin Cooperman’s TRAC team can help you prepare for and respond to spear phishing attacks, please contact Michael Camacho (mcamacho@citrincooperman.com) or Kevin Ricci (kricci@citrincooperman.com).