In a revealing interview with CanadianSME Small Business Magazine, Smriti Arya, Content Analyst at GetApp Canada, shared her expertise on safeguarding small and medium-sized enterprises against increasing phishing attacks, especially during the holiday season. She highlighted key vulnerabilities such as heightened email activity and reliance on open WiFi networks. Emphasizing the effectiveness of cybersecurity training, Arya underscored essential components like understanding various cyberattacks, conducting knowledge assessments, and promoting strong password policies. Additionally, she advocated for the critical role of technology solutions like anti-phishing software and multi-factor authentication, alongside broader cybersecurity practices, to bolster defenses against these growing threats.
Smriti Arya is a Content Analyst for GetApp Canada, delivering key insights regarding software, business and tech trends directly to local SMEs.
To begin with, could you share a bit about your professional journey, specifically what led you to your role as a Content Analyst at Gartner?
I have been working in the content writing and research field for the last 8 years and I am adept at meticulously researching a variety of topics. Coming from a technical academic background, I love writing on different technology trends and platforms. My work was recently featured in Canadian HR Reporter and Business in Vancouver. My research and data analysis skills with a wide understanding of software and technology helped me achieve the role of a content analyst at Gartner where I enjoy working on consumer and B2B surveys designed to help us analyze and discover industry trends.
Phishing attacks on small and medium-sized enterprises appear to increase significantly during the holiday season. What in your view are the factors that make these businesses particularly vulnerable to such attacks during this period?
Here are some possible factors that could lead to a holiday-specific increase in phishing attacks leading to vulnerability among small and medium-sized businesses:
- Increased email activity:
With lots of “happy holidays” emails from management, clients, and external addresses, cybercriminals may get the opportunity to send a malicious link that can go undetected. If a worker falls prey to such emails, the entire organization could be at risk for a large-scale cyberattack. In fact, our study also revealed that 9 in 10 survey respondents received a phishing attack via email. - Use of open WiFi networks:
When people are on the move during their holidays, they usually make use of unsecured public/open WiFi networks to check their emails which can put them at risk of cyberattacks. - Inevitable spike in online shopping:
The holiday season usually brings a spike in online shopping with people buying gifts for their loved ones. But, unfortunately, this can turn out to be a profitable season for cyberattackers as well, as they might use a variety of attack methods such as impersonating work colleagues or friends and sending employees malicious links to redeem rewards.
It has been observed that organizations which implement cybersecurity training tend to see a decrease in successful phishing attacks. What essential components do you believe should be included in this training to effectively equip employees against these threats?
We asked respondents who belong to senior management/leadership and who have phishing awareness training programs in their company if they find such training useful. 88% said that the training helped them notice a decline in successful phishing. In this context, it is important for organizations to conduct such programs for their employees on a regular basis. Companies may include the following components when designing cybersecurity awareness training programs for their employees:
- Deep dive into the different types of attacks
Make sure to equip your teams with the knowledge to navigate different types of cyberattacks. Provide them with a deep understanding of viruses, malware, ransomware, and phishing attacks, to name a few and how such attacks might occur. With such knowledge, your team may act as a first line of defence against cyber threats. - Knowledge assessments
Cybersecurity training should also include a component for assessment to know how much each employee has learned about cyberattacks. Such assessments can be in the form of attack simulations that could help employees understand how a cyberattack might happen and how to report such emails. In case employees fail to pass such quizzes, a follow-up training course should be provided to them. - Educating the team on the importance of strong passwords
Unique and strong passwords can potentially lower the chances of accounts getting hacked. Therefore, implementing a strong password policy at work and educating employees on the use of this policy could help ensure a secure environment. When we asked senior manager respondents about the actions they take in their company to ensure data security, 52% of the respondents reported that they adhere to the password policy for data protection. - Data privacy policies
It can also be essential to include knowledge of data privacy policies in your cybersecurity awareness training programs. Employees should know who has access to specific company data, how to store it securely, and how to prevent unauthorized entities from accessing such data.
With the rise of remote and hybrid work models, which are believed to be more vulnerable to phishing attacks, what specific strategies would you recommend companies adopt to safeguard their remote workforce?
Our research study reveals that 80% of senior manager respondents believe that companies operating remotely/hybrid are more prone to phishing attacks. Here are some strategies that companies may adopt to safeguard their remote workforce:
- Implement virtual desktop infrastructure for remote/hybrid workforce
Virtual desktop infrastructure (VDI) allows employees to access work-related applications on a virtual machine that is located on a server in the data centre. In this context, VDI is designed to limit the risk that non-business apps can bring by restricting employees to only use work applications on a virtual network. - Encrypt stored data
Encrypting data stored in a work device could be an ideal practice to ensure data security. In case a device is stolen, employees may avoid a data breach issue if the data stored on it is encrypted. Implementing this strategy can help keep the data shared between company-owned servers and remote locations encrypted and make it unreadable for unauthorized entities without an encryption key, such as a PIN or password. - Establish remote work policies
Make sure to have comprehensive remote work policies in place that can include the eligibility to work remotely, the use of strong and unique passwords, installation of SSL security, and virtual private networks (VPNs).
Beyond establishing policies to restrict access to certain websites and educating employees about cyberattacker tactics, how significant do you think the role of technology solutions, like anti-phishing software and multi-factor authentication, is in protecting businesses from phishing threats?
Anti-phishing tools are designed to identify malicious data or messages through emails, links, or pop-up windows. Such software platforms usually comprise different computer programs such as firewalls, anti-virus programs, and email security software programs.
Speaking about our survey, it was revealed that over half (55%) of surveyed senior managers stated that their company has anti-phishing software in place, whereas 36% don’t, while 9% are unsure about it. Of those respondents who admitted to having anti-phishing software in their organizations, a significant proportion believe that it can help them defend against phishing attacks.
According to 63% of those respondents whose companies use it, the software regularly prevents phishing attacks, while 33% say it only prevents attacks from time to time. Looking at the stats, organizations should not just rely on such software to stay protected from attacks, but should also have other measures in place to double down on security. Therefore, organizations should use anti-phishing software as well as additional cybersecurity practices to ensure a secure work environment for everyone.
Based on your extensive experience and understanding of cybersecurity threats, particularly phishing attacks, what key piece of advice would you offer to small and medium-sized enterprises to bolster their defenses against such cyber threats?
While it’s not mandatory to implement all of these cybersecurity controls, we encourage small and medium-sized businesses to adopt the following practices to defend against cyber threats:
- Implement strong user authentication policies
Ensure that all work devices authenticate users before they are able to access the company’s information and apps. Organizations can use two-factor or multi-factor authentication wherever possible to enhance security. - Conduct regular data backups and encryption
Run data backups on a regular basis so that sensitive data is always secure even if a cyber incident or a natural disaster happens. Encryption is another important aspect when it comes to data security as it can prevent third parties from reading/understanding encrypted data. - Provide tailored training programs to employees
Educating employees on different cybersecurity incidents and prevention strategies can reduce the likelihood of such events and make them able to safeguard their accounts against such attacks. - Leverage the use of security tools
Install anti-virus, anti-phishing, and firewall software on work devices to avoid phishing attacks and protect against malware. - Monitor security activities
Last but not least, it is crucial to monitor all the security activities organizations have in place to understand whether more strategies should be introduced to double down on security and how current cybersecurity techniques are working.
