Are you an easy target? How to test the impact of phishing on your organization

The trend is clear. Attempts to use fake emails to access users' account details continue to grow. The services that protect us from online fraud are becoming more sophisticated, but so are the threats. As fraudsters are constantly finding new ways, you are easy prey if you lack adequate protection.

Many companies know they need to improve security, but because they don't know where to start and don't want to make it too difficult for users, they choose to take a risk. All too often, the starting point for improving security is an incident. Instead of rolling out security solutions gradually and letting users get used to them, they are forced to make costly investments and radical changes in a short period of time.

Research shows that almost all companies have leaked user accounts and passwords even if they don't know it themselves, and with a bit of bad luck it can be a costly affair. You can read about how email scams can work in this article. For example, account details can be used for fraud, data theft or to take the user's computer hostage (ransomware). If the hacker manages to get beyond the user's device and into the corporate network, things can get really bad.

Training is as important as technical protection

It's easy to dream of 100% protection that blocks all attempts at account hijacking, but such a solution is impossible to achieve without compromising user-friendliness and productivity. Modern people want to be able to work from their home computer, check their email on their mobile phone and be on the move. In such a world, a certain amount of security thinking will always be required. On the other hand, we don't want employees to spend too much of their working day assessing whether their emails are potential security risks. It is best to strike a balance between educating users and using technical protection that can kick in if something goes wrong.

Net fishing for knowledge gaps in your organization

If you are curious to know how a phishing attempt would affect your organization, there is actually a way to test it. In Microsoft 365, there is a built-in function for sending out fake scam emails with the aim of mapping the users' level of knowledge. The message sent out looks like a scam email, but instead of hijacking the user's account information, it maps how many people have opened it. It is not about blaming those who click. Instead, the tool is intended to be used to see if there is a need for training in the organization. If there are many clicks, an appropriate measure could be to organize a security workshop to teach employees how to recognize and report fraud attempts.

ATP - advanced protection using AI and machine learning

The education level of the users is important, but there is also a need for technical protection that, at best, can prevent you from clicking on that link. As a user of Microsoft's cloud services, you always have some protection against mass mailings and fraud, but it is only in Microsoft 365 Business that you automatically get access to more advanced protection in the form of ATP (Advanced Threat Protection). ATP is an industry-leading protection that, among other things, uses AI and machine learning to recognize and stop attempts to collect personal data.

Help, I've entered my account details where I shouldn't have!

If there's an accident and an employee has entered their name and password into a form, other Microsoft 365 features kick in to minimize the damage, provided you've made the right settings based on the level of security your business requires.

Because the system has learned how users work with their accounts, how they log in and how many files they share, it will react when a user does something out of the ordinary. If you rarely leave Sweden but suddenly log in to Denmark, a suspicion is raised. Then, if you were to log in in China an hour later, if you have the right settings, the system will require two-step verification or even lock the account. The information on how your users move around already exists. It is up to you as an IT strategist or CDO to decide what to do with it and what level of security you want. A good tool to test your security settings and visualize gaps is Microsoft's Secure Score toolwhich evaluates your IT environment on a scale of points.

Your security solution is perishable

With a high level of training, the right security settings and a system like ATP that hopefully steps in when someone makes a mistake, you can sleep relatively well at night - but unfortunately, you're not done there. As phishing attacks increase and become more sophisticated with each passing week, you need to regularly update yourself both technically and in terms of knowledge. The companies that invest in security on an ongoing basis are more or less evenly matched against the fraudsters. Those who do nothing will fall behind and put themselves at great risk.

If you want to find out how secure your current IT environment is, WeSafe will help you carry out a free security analysis . and get concrete tips and recommendations on what you can do to protect yourself from phishing and other fraudulent attempts. As your IT partner, Wesafe can then help you perform tests, review your IT environment, and propose solutions based on the capabilities of your Microsoft 365 licenses.