According to Proofpoint’s latest annual international survey of IT/infosec managers and employees, employees continue to fall for phishing lures that put their organizations at risk.
Eighty-four percent of 1,050 survey respondents in 15 countries said their organization had experienced at least one successful email-based phishing attack during 2022. year due to phishing.
Of those who were successfully attacked, 30 percent globally (23 percent of Canadians) said their organizations suffered a direct monetary loss, such as a fraudulent invoice, wire transfer, or payroll redirection. Globally this represented a 76 per cent increase in the percentage of financial loss in 2021.
The numbers are in Proofpoint’s latest State of the Fish report. Full report is available here. Registration is required.
Among other important findings:
Nearly 65 percent of respondents said their organization experienced data loss due to an insider breach in the past year. The number was even higher for the US, UK and the Netherlands, around 85 per cent. The most common reason for data loss to insiders was carelessness or negligence;
Nearly 76 percent of organizations experienced a ransomware attack attempt, with 64 percent experiencing a successful infection. More than two-thirds of respondents said their organizations experienced many different infection incidents;
64 percent of the infected organizations agreed to pay the ransom. 90 percent of them were helped by their cyber insurance;
Nearly 52 percent of ransomware victims — slightly better than the flip of a coin — regained access to their data after making a single ransomware payment. Almost as many were forced to pay more, and some still could not gain access to their data;
– Only 35 percent of respondents said their organizations conduct phishing simulations, down from 41 percent in 2021.
In addition to surveying IT and infosec professionals, the report questioned 7,500 working adults. Among the results the authors of the report found:
- Basic security concepts are still not understood – more than a third of survey respondents could not define “malware,” “phishing” or “ransomware”;
- 44 percent of respondents feel an email is secure when it contains familiar branding (such as the name of a recognized company). Unfortunately, brand misuse is one of the most common attack tactics;
- With regard to insider losses, nearly half of end users who changed jobs within the last two years admitted that they took their data with them when they left. The survey didn’t say whether that was sensitive data;
- There is no correlation between what Infosec professionals think and what employees feel. While 83 percent of InfoSec respondents said they think employees feel safety is a top priority at work, 33 percent of working adults said safety is not a top priority for them.
“Creating a security awareness program tailored to the specific threats you face”
Organization is a major challenge,” admit the authors of the report. “But,” they say, “there is reason for optimism. Sixty-seven percent of security professionals said that the phishing failure rate has decreased since the security awareness program was implemented.”
The report states that training is important, but not sufficient. “A strong workplace safety culture will inspire users to take safety more seriously and help create sustainable safety
Habits that extend to his personal life.
It is also important to measure behavioral metrics, the report says. The management should respond with “fair and impartial treatment”.
“While traditional phishing remains successful,” said Ryan Kalumber, Proofpoint’s executive vice president of cybersecurity strategy, “many of the threat factors have shifted to newer technologies, such as telephone-oriented attack delivery and adversary-in-the-middle.” (AitM) Phishing proxies that bypass multifactor authentication. These techniques have been used in targeted attacks for years, but they are expected to be deployed on a large scale in 2022. We’ve seen a significant increase in sophisticated, multi-touch phishing campaigns that engage in lengthy conversations between multiple individuals.
“Whether it’s nation-state-aligned groups or BEC actors, a lot of adversaries are willing to play the long game.”
Among Canadian responses filtered from the surveys:
Two-thirds (66 percent) of Canadian organizations reported an attempted business email compromise attack in the past year (BEC attacks tried to trick employees into transferring money to an account controlled by a threat actor, seemingly a at the request of the executive);
– 66 percent of Canadian organizations experienced a ransomware attack attempt in the last year, with half suffering a successful infection. Only 56 percent regained access to their data after making the initial ransomware payment.
– 40 percent of Canadian respondents said their organization experienced multiple, separate ransomware infections.
– More than one in three infected organizations in Canada paid a ransom, and many (33 percent) did so more than once.
