CISOs Are Losing the Fight Against Phishing Attacks
Since the pandemic, companies are undergoing a surge in cybersecurity attacks – particularly in phishing attacks. A recent survey finds that nearly three-quarters of organizations admit they were victims of a successful phishing attack in the last year, with 40% confirming they have experienced one in the last month.
The global survey conducted by Aberdeen found that the global shift to remote work has exacerbated the onslaught, sophistication, and impact of phishing attacks.
According to the survey commissioned by enterprise IT solutions firm Ivanti, 80% of respondents said they have seen an increase in volume of phishing attempts, and 85% say they are getting more sophisticated – so much so that 47% of IT professionals have fallen victim to such attacks.
Mobile devices at risk
Aside from IT professionals, entire organizations are increasingly exposed to cyberattacks due to remote work and the growing use of mobile devices to work remotely.
According to the research, attackers have a higher success rate on mobile endpoints than on servers – a pattern that is trending dramatically worse. Meanwhile, the annualized risk of a data breach resulting from mobile phishing attacks has a median value of about $1.7 million, and a long tail value of about $90 million.
Lack of employee understanding
Hackers are exploiting enterprise security gaps in the Everywhere Workplace, in which remote workers are using mobile devices more than ever before to access corporate data. Thirty-seven percent of respondents cited a lack of both technology and employee understanding as the main causes for successful phishing attacks. However, 34% blamed successful attacks on a lack of employee understanding.
While 96% of IT professionals reported that their organization offers cybersecurity training to teach employees about common attacks like phishing and ransomware, only 30% of respondents said that 80-90% of employees had completed the training.
Shortage of IT talent
The survey also sheds light on how the effects of phishing attacks have been exacerbated by shortages of IT talent. More than half (52%) of respondents claimed their organization has suffered from staff shortages in the past year, and, of those respondents, 64% confirmed under-resourcing is the cause of longer incident remediation times.
With fewer members of staff, the ability to mitigate security issues speedily has been vastly reduced. Any downtime caused by a security incident costs an organization money and damages productivity. Furthermore, 46% cited increased phishing attacks as a direct result of staff shortages.
“Reducing the risk of phishing attacks is a race against time, in more than one dimension. Enterprise IT pros must stay ahead not only of the attackers who are constantly crafting new attacks, but also of their own users — who are shockingly quick to click on malicious links,” said Derek E. Brink, vice president and research fellow at Aberdeen Strategy & Research.
“While many organizations have been making investments in security awareness training initiatives, they should also be prioritizing and applying advanced automation, artificial intelligence, and machine learning technologies to more quickly and consistently identify, verify, and remediate phishing threats.”
“Anyone, regardless of experience or cybersecurity savvy, is susceptible to a phishing attack. After all, the survey found that nearly half of IT professionals have been duped,” said Chris Goettl, senior director of product management at Ivanti.
“To effectively combat phishing attacks, organizations need to implement a zero trust security strategy that incorporates unified endpoint management with on-device threat detection and anti-phishing capabilities. Organizations should also consider getting rid of passwords by leveraging mobile device authentication with biometric-based access to eliminate the primary point of compromise in phishing attacks,” said Goettl.