Phishing, spear phishing, malware infiltration, CEO fraud and ransomware are rising concerns for all organisations, from micro enterprises to large multinationals. According to a recent Osterman Research report sponsored by Forcepoint, in the last 12 months:
- 37% of organisations have been infected by malware delivered through an email phishing attack;
- 24% of organisations have had files encrypted because one or more endpoints were infected by ransomware;
- 21% of organisations have had their systems infiltrated via a drive-by attack from employee web surfing;
- 12% of organisations had senior executives tricked by a CEO fraud/BEC attack.
Email attacks lead ‘top concerns’ list
The top three issues of concern have the attack vector used to hit the target in common:
- Phishing through email – 74% of organisations report high levels of concern
- Malware infiltration through email – 67%
- Spear phishing through email – 65%
Why does email generate such concern?
We can speculate that, although anti-spam and anti-malware software are getting even more sophisticated, there is no guarantee that they can stop 100% of scam emails from reaching their targets, leaving users to decide whether or not to open the fraudulent email. In short: the level of concern relates to how staff are likely to act when confronted with a phishing email.
Invest in the ‘human firewall’
The report provides a few suggestions about the best practices companies should adopt to address cyber security gaps in order to reduce or mitigate the risk of phishing attack:
- Develop a good security awareness programme to help staff get a better understanding of the risks of cyber crime, social engineering and phishing attacks.
- Roll out regular security awareness training to make sure employees are up to date with latest types of cyber and phishing attacks, and equipped with the best practices to stay cyber secure. The cost-effective way to train the whole staff, especially for large organisations or companies with dispersed staff, is through interactive e-learning courses focused on information security and phishing.
- Regularly test employees to determine the effectiveness of their security awareness training and to identify those who need additional help. You can perform a phishing simulation to test their understanding of phishing attacks and identify those who still have weaknesses.
Discover the Phishing Staff Awareness e-learning course >>