Companies are losing the war against phishing as attacks increase in number and sophistication

A new report finds that 74% of companies have been the victim of phishing in the last year. Staff shortages, a lack of security training and an increase in mobile device usage for work are factors.

phishing

Image: weerapatkiatdumrong, Getty Images/iStockphoto

Automation company Ivanti has surveyed more than 1,000 IT professionals on the effects of phishing at their organizations, and what it has found is grim security news: 74% of companies have fallen prey to phishing in the past year, and 40% became victims in the last month alone. 

More about cybersecurity

With phishing success rates so high, it’s essential for organizations to tamp them down, but aggravating factors are making it difficult for businesses to do so. In particular, Ivanti cites the COVID-19 induced shift to remote work as a major reason for increased “onslaught, sophistication and impact of phishing attacks.”

SEE: Security incident response policy (TechRepublic Premium)

Using the past year as a frame of reference, 80% of respondents said the volume of phishing attempts increased, and 85% said the attempts are becoming more sophisticated, making them increasingly harder to detect. Ivanti said that smishing (text-message phishing) and vishing (voice call phishing) have increased in the past year as more people are using mobile devices for remote work. The report also cites data from Aberdeen Strategy and Research that found a higher rate of successful phishing attacks against mobile devices, which Ivanti said is “a pattern that is trending dramatically worse.” 

There’s a lot of blame to go around, and respondents pointed plenty of fingers. Thirty-seven percent said that a lack of technology and understanding among employees was a main cause for the increase in successful phishing attacks, and 34% directly blamed a lack of employee understanding. Ninety-six percent said their organizations offered cybersecurity training that teaches about recognizing phishing, but only 30% said 80-90% of employees at their organizations had completed such training. 

In addition to employees dropping the ball on phishing awareness, 52% also reported that their IT teams were understaffed, and 64% said those shortages have led to increased time spent on incident remediation. Forty-six percent directly blamed staff shortages for the increase in successful phishing attacks. 

IT departments may be willing to blame rank-and-file employees and those responsible for hiring for increases in phishing attacks, but they aren’t without blame, either: 73% said their IT staff had been targeted by phishing attacks in the past year, and 47% said those attacks were successful. 

In short, phishing targets everyone, a wide swath of people fall victim, and everyone has to take responsibility for stopping these cybersecurity attacks. 

“Anyone, regardless of experience or cybersecurity savvy, is susceptible to a phishing attack. After all, the survey found that nearly half of IT professionals have been duped,” said Ivant senior director of product management Chris Goettl. 

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

How to prevent phishing attacks

Goettl and Derek E. Brink, vice president and research fellow at Aberdeen, agree that new tools and more investment in training are needed to combat phishing. Among the tips they suggest are:

  • Implementation of a zero-trust security model to prevent attackers from moving laterally in networks using stolen credentials.
  • Endpoint management software that includes on-device threat detection and phishing detection.
  • Using artificial intelligence, machine learning and automation to identify and remediate threats. 
  • Eliminating passwords in favor of biometric identification, which removes the most common weak point used by phishing attackers.

If those best practices can’t be incorporated into security strategies immediately, businesses should consider implementing and requiring two-factor authentication for all users, especially those working remotely. 

Also see