In our latest blog piece, our MD Guy Phoenix shares a personal experience of Email phishing…
Earlier this week I was having some problems with my laptop computer, and so I lost about an hour of work time in the morning whilst one of the CCS technical team was working on resolving the issues.
They got it running again, but I needed to leave the office for a meeting, so I did a quick scan of my emails. In a rush, I noticed one from a known supplier with an invoice attached. Thinking I was up-to-date with them, I clicked on the invoice attachment to see what it was for.
When I clicked, a new tab opened in my browser. It was a Microsoft login window, advising I needed to enter my username and password. Fortunately, this set off alarm bells in my head and I realised immediately I had clicked on a phishing email.
I immediately advised the technical team at CCS (who had just fixed my laptop!) and their standard email phishing cybersecurity protocols kicked in:
- Disconnect from the network
- Forced password reset – ALL accounts
- Full security check of the laptop
This was monumentally inconvenient of course, but better that than facing the consequence of inadvertently giving my account details to a hacker from their simple email phishing exercise.
I travelled to my meeting (which I was now late for) and en route I received an encrypted text message from my tech team with my new passwords, which we had agreed they would send, and I confirmed receipt of the same. On arrival at my meeting, I apologised and explained the reason for my tardy arrival. The response I received is what prompted me to write this blog piece. They said two things:
1) They were impressed with the CCS responsiveness and wished their own IT provider responded so diligently (which of course presents a sales opportunity!)
2) They remarked ‘how embarrassing’ given that I run an IT company
I wasn’t the slightest bit offended since this is all-too-often the kind of comment we hear from clients who have been successfully hacked. Staff members are often unwilling or embarrassed to tell their management team or IT team that they have been potentially compromised by clicking on an email.
The manner in which I reacted to my phishing email is precisely the way I expect any member of my staff to behave, so there was an element of leading-by-example in what I did. However, the point of being completely open about it is key. Staff at every level in an organisation need to be open, immediate and provide full disclosure if they click-a-bad-link. Sunshine is a great disinfectant, and by shining an immediate light on the issue, they allow the IT team to do what they need to do to prevent the individual – and the company – from a successful cyber incursion.
This approach is as much about company culture as it is about IT policy. Staff need to be encouraged to be open about IT security issues, secure in the knowledge that they will be thanked for their openness without fear of reprisal.
In parallel, the need for cyber hygiene training is paramount. The ability to recognise a phishing email (as I did), coupled with additional knowledge on how to conduct yourself online in general, is critical to protecting businesses from cyber attacks. The inadvertent ‘insider threat’ is still responsible for the vast majority of successful hacks, in organisations of any size. Regular cyber hygiene training is inexpensive (For example, Fresh Mango provide online courses that start from £25 per person) and hugely beneficial.
Coincidentally, the next morning CCS conducted a cybersecurity seminar where the subject was phishing emails. I was able to open with a full mea culpa. Message? It can happen to anyone.
It’s too easy for the hackers if we aren’t careful