1) Security Awareness Training
Your best line of defense against phishing attacks is continued education.
Phishing attempts are only successful because of human error, which means your employees need to be taught how to spot them before they fall victim to an attack. Conduct regular security awareness training, including enrolling your employees in courses that help them identify phishing attempts.
As a part of this training, you can even conduct phishing simulations to help them understand how they should respond in real-world situations.
2) Email Security
In addition to security awareness training, boost up your email security. Be certain spam filters are active on email accounts across your network. Make it easy for employees to report phishing scams and be vigilant when it comes to password security.
3) Disable Macros
A popular way for attackers to install malware or spyware on your computer is by delivering a Microsoft Office document that requires macros to run. Macros are shortcuts or specific keystrokes that make routine commands easier to implement (i.e. print, save, undo).
By disabling macros, you mitigate the risk of malware being installed on an enterprise by an employee who accidentally opens an infected attachment. Be sure to make this a default setting and enforce it in your group policy.
4) Implement Multi-Factor Authentication
Another effective step in protecting yourself from being hacked via phishing attempts is to enable multi-factor authentication on all accounts.
In the event you do fall victim to a phishing attack and accidentally hand over your email address and password, you have a second line of defense since you need another device in order to authenticate access. Microsoft reports this simple tactic blocks 99% of attempted hacks.
5) Encrypt Sensitive Data
Encryption converts all the data on your network and devices into something only accessible via an authentication key. By encrypting your data, you provide an additional layer of security in the event you're compromised due to a phishing attack.
6) Employ SSL Certificates
Secure Socket Layer (SSL) certificates indicate information transmitted between a user and a website is encrypted and secure.
These certificates are identified by, "https://" at the beginning of a URL address. Other times, it's indicated by a lock or the word "secure" in the browser bar. Websites without encryption only have, "http://" at the beginning of the URL address and often read "not secure" in the browser bar.
If your company's website collects any sort of personal information from its users (emails, passwords, credit card information, etc.), you need an SSL certificate to ensure their information is transmitted securely. Additionally, Google now uses SSL as a ranking signal. Without one, your website will be harder to find in search results.
7) Provide Securely Hosted Payment Pages
In addition to SSL certificates, if your business collects payment information via the web, it's important to provide securely hosted payment pages (HPP) for your users.
These are typically hosted by a third party and can either be embedded into your website or redirect users to a secure platform to process payments. An HPP is secure and PCI-certified, helps you avoid sensitive credit card information from passing through servers, and reduces your liability in the event credit card information is stolen.
8) Ensure Security Policy Covers Phishing Prevention Measures
Ensure your security policy clearly covers phishing prevention measures. This includes requiring security awareness training, establishing password requirements, mandating two-factor authentication, and policies for mobile device security.
Protect Your Company Now
Phishing is intentionally designed to trick, manipulate, and force an attacker's targets into surrendering personal and sensitive information. Sometimes phishing attacks are quick financial ploys. Other times, they are a small piece of a larger social engineering attack to bring down an enterprise.
It's vital for your small business to proactively train its employees to identify and prevent phishing attempts, including establishing detailed security protocols to mitigate exposing sensitive data.