Symantec has released its 2014 Internet Security Threat Report, compiling data on trends in email security and cyber risk over the last two years. Here are some of the key findings:
- Malicious email campaigns rose 91 percent between 2012 and 2013.
- While there were more campaigns, fewer malicious emails were sent overall (meaning hackers were more closely targeting their victims).
- Since 2011, small business email attacks rose 60 percent.
- Malicious email attacks lasted longer (usually around 8 days) and have become sneakier.
Sneakier, you say? What makes an email sneaky? Good question. Let's look at how cyber criminals have improved their "phishing" email game over the last few years.
What Is Spear Phishing? (Answer: An Email Sneak Attack)
Security experts might as well be poets, given all the clever metaphors they come up with for cyber attacks (see: Trojan horses, viruses, worms, phishing, and spear phishing). To understand how email attacks work, let's examine how spear phishing differs from a basic email attack.
A basic phishing email is a message that contains a link to a website (or an attachment) that allows cyber criminals to steal data, collect login information, or remotely access your network. A spear phishing email is a more advanced version of this basic attack.
While your clients can probably discern most spam email from legitimate messages, spear phishing emails are disguised to such an extent that it's easy for a client to click on the email and make a careless mistake.
Spear phishing emails are part of this sneaky trend. Cyber criminals scrape data from a client's website and social media. By looking at a client's posts, followers, and other social media info, cyber criminals can generate an email that looks like it comes from someone the client works with. Let's look at some examples.
Spear Phishing Examples: How an Email Can Cause a Data Breach
Most spear phishing attacks appear to come from financial institutions like banks, payroll / HR companies, and other groups to whom your clients might send financial, personal, or other data attractive to hackers.
Some attacks are even designed to look like emails coming from the client's top brass. Hackers do this because they figure (rightly) that if an employee receives an email from their boss, they're going to read it.
We profiled a recent spear phishing example in our article "Tried and True: Phishing Still Causes Data Breaches." In an email attack against three Texas healthcare organizations, cyber criminals sent emails that resembled the typical requests doctors receive for patient data. When the doctors replied to these emails, cyber criminals were able to use the doctors' information to illegally access thousands of patient records.
The Spear Phishing Takeaway: Advanced Attacks Can Hurt Small Businesses
As we’ve seen, these pernicious email campaigns have increasingly targeted small businesses.
Because these attacks have become more sophisticated and better disguised, there's a chance your clients won't be able to recognize them. This could open the door for a data breach and a lawsuit against your business.
As you know, the tricky thing about IT security is how interconnected everything is. For instance, an advanced spear phishing attack could target a client's employee who happens to use their laptop at home on their personal network. Security you have in place at the office network might not be able to prevent malware from an email opened at home from spreading to the office network when the employee arrives for work the next day.
It's situations like this that remind you how hard it is to maintain institution-wide data security.
How to Protect Your IT Business from Spear Phishing Data Breaches and Lawsuits
For small IT businesses, consultants, and independent contractors, there's actually IT Insurance to cover your data breach, spear phishing, and other professional liabilities.
A professional liability is a responsibility you have to your customers. It's your responsibility to deliver quality work and to prevent data breaches on client networks. As an IT professional, when you know of a new threat (like more advanced phishing attacks), you're responsible for incorporating this knowledge into your IT solutions and warning clients about possible threats that could attack their data.
Errors and Omissions Insurance is to techies what Malpractice Insurance is to doctors. When a client sues you for data breaches or a mistake in your work, E&O coverage pays for the lawsuit, potentially saving you hundreds of thousands in legal expenses.
For a free quote on IT Insurance, submit an online insurance application.
