Phishing continues to be an effective way for threat actors to infect computing devices, according to a survey from cybersecurity vendor Proofpoint.
Fifty-seven per cent of the 600 infosec professionals in seven countries questioned said their firm suffered a successful phishing attack last year, the company said Monday in releasing its annual State of the Phish Report. That was up slightly over last year, suggesting the percentage of successful attacks stayed the same.
However, 60 per cent of respondents aid their firm suffered a data loss, up 13 per cent over 2019, and 52 per cent said their organization suffered a credential compromise, up 11 per cent over the previous year.
There was some relatively good news: Ransomware infections held steady year over year. And 17 per cent fewer respondents reported malware infections as a result of phishing compared to 2019. Forty-seven per fewer experienced direct financial loss compared to 2019.
“These results could indicate that organizations have implemented stronger preventive measures against these types of attacks,” the report indicated
It also warns that email isn’t the only vector for social engineering attacks. Sixty-one per cent of respondents said their organization faced attacks through social media last year, an equal number faced SMS-text attack (also known as smishing), 54 per cent said they faced voicemail (or vishing) attacks, and 54 per cent said someone tried to attack them through malicious USB keys.
When it comes to ransomware, 34 per cent said their organization was infected and paid a ransom to get access to their data, 32 per cent who were hit refused to pay the ransom and 34 per cent said they didn’t suffer a ransomware infection in 2020.
However, the C-suite should note this trend that emerged in the data: In 2020, organizations that paid a ransom were 32 per cent more likely to have to pay an additional ransom demand after their first payment before getting access to their data. That figure was two per cent a year prior.
Proofpoint sells email protection products including phishing tests to raise employee awareness. with links or attachments. Customers have a choice of themes, such as “New Microsoft Teams request,” and a variety of Coronovirus alerts and warnings. Organizations experienced an average failure rate of 11 per cent in 2020, compared to 12 per cent in 2019.
Some of the simulations that were successful included an offer for a free month of Netflix streaming for employees, a vocation contract rental office, an overdue invoice reminder and a Starbucks promotion. A number of COVID-19 related test lures were also successful.
It also found some concerning numbers around awareness training. While 98 per cent of respondents said their firm has a security awareness training program, only 64 per cent said they have formal training sessions.
Only 52 per cent said their firm provides company-wide training. A little more than one-third train only certain departments and roles. And 11 per cent said they are “very targeted” in their training, focusing on individuals rather than groups.
Nearly 30 per cent said their firm relies on simulated phishing attacks alone to teach their users. That’s not good enough, the report concludes. Tests don’t teach users who fail about the many and varied tactics attackers use.
“User engagement is critical if you want to make security a core part of your organization’s culture,” it says.
Other notable tips from the report include:
- Don’t assume employees understand cybersecurity lingo (like phishing, smishing and fishing).
- Make awareness training personal by helping staff see the overall value of improving their security at work, and at home.
- Be clear about expectations and communicate regularly.
- Make staff feel empowered by giving them the tools they need to improve security and teach how to use them.
- Give users a safe space to learn, make mistakes, practice and learn more.
- Highlight the benefits of participating in awareness training and how better behaviours improve the organization’s security.
Download the full report here. Registration is required.