Just released, the UK's Cyber security breaches survey 2024 states "The most common type of breach or attack is phishing (84% of businesses and 83% of charities)."
And clearly phishing is succesful because "Half of businesses (50%) and around a third of charities (32%) report having experienced some form of cyber security breach or attack in the last 12 months. This is much higher for medium businesses (70%), large businesses (74%) and high-income charities with £500,000 or more in annual income (66%)."
The shocking takeaway from the survey is " The proportion of businesses seeking external information or guidance on cyber security has fallen since 2023. In addition, a sizeable proportion of organisations, including larger organisations, continue to be unaware of government guidance such as the 10 Steps to Cyber Security, and the government-endorsed Cyber Essentials standard. Linked to this, relatively few organisations at present are adhering to recognised standards or accreditations."
Phishing attacks are increasing, almost 5 million in 2023. Cyber breaches are increasing as a result of phishing but businesses are not reacting. Does this make any sense?
What to do? The technical solution (but only 50% of solution)
Free for every organisation to action is the deployment of SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance) on their email platforms to protect their brand reputation, enhance email deliverability, and combat phishing attacks.
SPF verifies the list of servers authorised to send emails from your domain. DKIM adds a digital signature to emails, proving they haven't been tampered with. DMARC builds on these protocols, telling email servers how to handle messages that fail SPF or DKIM checks (e.g., quarantine or reject). Together, they prevent malicious actors from using your domain to send fraudulent emails, safeguarding your customers, partners, and your business's good name.
Fully deploy anti -phishing solutions that you have included in your email platforms.
If you utlise Google Workspace:
Google Workspace doesn't have a single anti-phishing solution, but rather a multi-layered approach using various features across its platform:
Core Protections:
Gmail Spam Filtering: Google's AI-powered spam detection flags many phishing emails before they even reach your inbox.
Malicious Link & Attachment Warnings: Gmail displays prominent warnings on emails containing suspicious links or attachments, slowing down impulsive clicks.
Spoofing and Impersonation Detection: Analyses email headers and content to identify attempts to impersonate legitimate senders.
Enhanced Security Settings:
Advanced Phishing and Malware Settings: Within the Google admin console, admins can enable stricter filtering, quarantine rules, and more.
Security Dashboard: Provides insights into potential phishing attacks and actions taken against them.
Additional Protections with Google Workspace Enterprise:
Security Center: Includes investigation tools specific to phishing and security alerts.
S/MIME (Enterprise Plus only): Allows for email encryption and signing to increase trust in message authenticity.
If you utilise Microsoft 365:
Microsoft 365 offers several built-in anti-phishing solutions across different subscription levels. Here's a breakdown:
Core Protections (Included in most plans)
Exchange Online Protection (EOP): Filters incoming emails, scanning for malware-laden attachments, malicious links, and spoofed senders. This is your first line of defence.
Safe Links: Scans links within emails and Office documents at the time of click, blocking access to known malicious websites.
Anti-Impersonation: Detects attempts to spoof internal users (like your CEO) or trusted business partners.
Basic Awareness Training: Some plans include limited security awareness content for your employees.
Plans that DEFINITELY include Exchange Online Protection:
Microsoft 365 Business Basic
Microsoft 365 Business Standard
Microsoft 365 Business Premium
Microsoft 365 Apps for Business/Enterprise
All stand-alone Exchange Online plans
Enhanced Protections (Often require add-on or higher-tier plans)
Microsoft Defender for Office 365 (Plan 1 & Plan 2):
More advanced phishing simulations to train your staff
Automated investigation and response tools to help neutralise phishing attempts
Detects unusual email patterns and potential account compromises
Safe Attachments: Sandboxes suspicious attachments, opening them in a safe environment to analyse their behavior.
Plans that INCLUDE Defender for Office 365 Plan 1:
Microsoft 365 Business Premium
Microsoft 365 E3
Microsoft 365 F3 (sometimes called "Frontline Worker")
Standalone Microsoft Defender for Office 365 Plan 1 Subscriptions
Remember no platform is foolproof. Many businesses consider third-party solutions to supplement built-in protections, especially for advanced threat detection.
We offer expert deployment and support for Google Workspace and Microsoft 365.
What to do? The human solution (the other 50%, price below)
Cyber security awareness training is a must for businesses of all sizes. It's about more than just avoiding dodgy emails – it's about empowering your employees to become your first line of defence against cyber attacks. Train your on the dangers of phishing, how to spot the red flags, regular training is key to protecting your business.
Regular training is key here. Annual training does not work for many reasons. We recommend 15 minute training sessions bi-weekly. Our clients utilise USecure
The platform focuses on three main areas: security awareness training, simulated phishing attacks, and dark web monitoring.
USecure's platform is designed to empower employees to make better security decisions. OCM provide everything you need to tackle human risk, managed for you.
We tackle human risk through a proven formula :-
Calculate Risk: We'll shine a light on your organisation's current employee security posture and generate a free Human Risk Report (HRR) that outlines your Risk Score on a business and user level with a step-by-step action plan for each employee.
Reduce Risk: Your staff will be enrolled on their personalised HRM programme, with bite-sized training courses and periodic phishing simulations that strengthen their security trainig.
Monitor Risk :Understand the impact of your HRM programme with regular summary reports that outline training performance, phishing results and your ongoing human risk score.
Delivered through by:
Security Awareness Training Bite-sized videos and interactive training courses that cover core information security and compliance topics tailored to each employees needs. USecure identifies user vulnerabilities and delivers training programs to address those weaknesses.
Simulated Phishing Trackable simulated phishing campaigns with readily-made and custom templates. Followed up reinforcement videos when employees are caught out.
Dark Web Monitoring Dark web scanning that detects exposed user data that could be leveraged for a cyber attack.
Policy Management Centralised pre-loaded policy library that simplifies and tracks employee signature approvals.
Human Risk Scoring Company-wide human risk scoring that fuses all reporting metrics into one easy-to-digest tracker. In-Depth Risk Analytics dig deep into human cyber risk with user performance profiles, trends and custom segments.
Training your employees to be Cyber Aware reduces risk and is often overlooked by many organisations.
OCM provide USecure for £2.00 a user, per month + VAT.