By the looks of things, phishing and ransomware are here to stay. There was a time when a wannabe hacker needed moderate coding and hacking skills, but today’s cybercriminals can use a credit card to purchase ready-made phishing and ransomware kits from the dark web.
A recent report, “Fighting Phishing: The IT Leader’s View,” published by security software firm Egress, confirmed that phishing and ransomware are causing a revolving door of break-ins and breaches for businesses. Yet, there continues to be a disconnect about the prioritization of cybersecurity at the board of directors level, the report found. The report surveyed 500 U.S. and UK IT leaders from businesses that ranged from medium to enterprise sizes.
“In addition to the disconnect at the board level, the one [report] stat that jumped out to us was the fact that 84% of surveyed organizations have suffered a phishing attack in the past 12 months,” said Jack Chapman, Egress vice president of threat research.
“That is a staggering number with all the discussions about cybersecurity that have gone on around the world this past year,” Chapman added. He noted that the large number of phishing victims suggests that threats are becoming more sophisticated and targeted.
For the organizations affected by phishing attacks, there was a relatively even split between two key tactics attackers used to deploy malware: people clicking malicious links (52%) and people opening malicious attachments (45%).
Watch this video to learn about ransomware prevention tactics and more.
The Effectiveness of Security Awareness Training
Security awareness training for employees does not appear to diminish the amount of phishing exposure. “The research found that 98% of organizations have delivered security awareness training to employees,” Chapman said. “Clearly, security awareness training alone is not enough to protect employees from phishing.”
Forty-five percent of surveyed IT leaders said their organizations change their training supplier on an annual basis. That change in suppliers could suggest that many organizations believe training isn’t working.
What Organizations Must Do
The implementation of new security technology can help organizations mitigate the risks of phishing and ransomware. For example, a new category to complement secure email gateways — integrated cloud email security (ICES), so named by industry researcher Gartner — is gaining traction. ICES products typically use advanced threat detection techniques that incorporate machine learning and natural-language processing.
However, what may be most critical is for IT leaders and business leaders to get on the same page. “IT leaders know that their board of directors aren’t taking ransomware as seriously as they should,” Chapman explained. Unfortunately, organizations usually must suffer a monetary loss from an attack before they will begin to take the threats seriously. “Therefore, addressing the disconnect is about making it feel ‘real’ to people who might not necessarily be fully aware of the severity of the problem and the likelihood of an attack.”
Chapman suggested IT leaders carry out roleplay exercises to educate business leaders on the real-world damage that a ransomware attack can cause. Additionally, IT leaders must show business leaders that attacks can’t necessary be fixed with an insurance payout or by paying a ransom.
“It’s one thing to talk about threats as an abstract issue, but showing what it means in reality is important,” Chapman said. “Whether it be brand reputation or financial loss, any incident will have a lasting impact on the organization.”