Email remains the number-one threat vector used by cybercriminals. Threat actors continue to use email-based attacks to target people within an organisation, as opposed to infrastructure and networks. In fact, recent Proofpoint research revealed that more than 99 per cent of cyberattacks require human interaction to be successful. This highlights that although an organisation’s employees can be its biggest asset, they also have the potential to be its biggest risk.
Using a wide range of phishing techniques, cybercriminals increasingly trick employees into clicking on an unsafe link, giving away their credentials or even carrying out commands directly (such as transferring money or sending sensitive files). With this in mind, it’s vital that organisations take a people-centric approach to cybersecurity and raise security awareness among employees. But what is the current global state of phishing attack knowledge?
Proofpoint recently released its sixth annual State of the Phish report, which examines phishing trends on a global level. It analyses data compiled from multiple sources, including a survey of more than 600 infosec professionals across seven countries. The report also provides an in-depth look at user phishing awareness, vulnerability and resilience.
Among the key findings, nearly 90 per cent of global organisations surveyed were targeted with business email compromise (BEC) and spear-phishing attacks, reflecting cybercriminals’ continued focus on compromising individual end-users. With the FBI recently citing that BEC attacks had caused losses of more than $26 billion in the past three years, it’s easy to see why email attacks are becoming one of the most expensive cyber risks to organisations.
The good news is that due to increased focus on cybersecurity awareness training within organisations, employee awareness is on the rise, with 78 per cent of respondents reporting that security awareness training activities resulted in measurable reductions in phishing susceptibility.
Additional key findings include:
- More than half (55 per cent) of surveyed organisations dealt with at least one successful phishing attack in 2019. Info-security professionals reported a high frequency of social engineering attempts across a range of methods: 88 per cent of organisations worldwide reported spear-phishing attacks, 86 per cent reported BEC attacks, 86 per cent reported social media attacks, 84 per cent reported SMS/text phishing (smishing), 83 per cent reported voice phishing (vishing) and 81 per cent reported malicious USB drops.
- 65 per cent of surveyed infosec professionals said their organisation experienced a ransomware infection in 2019. 33 per cent opted to pay the ransom, while 32 per cent did not. Of those who negotiated with attackers, 9 per cent were hit with follow-up ransom demands and 22 per cent never got access to their data, even after paying a ransom.
- Organisations are benefitting from consequence models. Globally, 63 per cent of organisations take corrective action with users who repeatedly make mistakes related to phishing attacks. Most infosec respondents said that employee awareness improved following the implementation of a consequence model.
- Many working adults fail to follow cybersecurity best practices. 45 per cent admit to password reuse, more than 50 per cent do not password-protect home networks and 90 per cent said they use employer-issued devices for personal activities. In addition, 32 per cent of working adults were unfamiliar with virtual private network (VPN) services.
- Recognition of common cybersecurity terms is lacking among many users. In the global survey, working adults were asked to identify the definitions of the following cybersecurity terms: phishing (61 per cent correct), ransomware (31 per cent correct), smishing (30 per cent correct), and vishing (25 per cent correct). These findings spotlight a knowledge gap among some users and a potential language barrier for security teams attempting to educate employees about these threats.
- Millennials continue to underperform other age groups in fundamental phishing and ransomware awareness. Organisations should not assume younger workers have an innate understanding of cybersecurity threats. Millennials had the best recognition of only one term: smishing.
By Matt Cooke, Cybersecurity Strategist, Proofpoint.
To download the State of the Phish 2020 report and see a full list of global comparisons, visit proofpoint.com/uk/resources/threat-reports/state-of-phish.
For more information on cybersecurity awareness best practices and training, visit proofpoint.com/uk/product-family/security-awareness-training.