Proofpoint, a leading cybersecurity and compliance company, has released its seventh annual State of the Phish report, which explores enterprise phishing experiences and provides an in-depth look at user awareness, vulnerability, and resilience.
More than 75% of surveyed infosec professionals said their organisations faced broad-based phishing attacks-both successful and unsuccessful-in 2020, and ransomware infections impacted 66% of third-party global survey respondents.
This year’s State of the Phish report examines global third-party survey responses from more than 600 information security professionals in the US., Australia, France, Germany, Japan, Spain, and the UK, and highlights third-party survey findings of 3,500 working adults within those same seven countries. The report also analyses data from more than 60 million simulated phishing attacks sent by Proofpoint customers to their employees over a one-year period, along with approximately 15 million emails reported via the user-activated PhishAlarm reporting button.
“Threat actors worldwide are continuing to target people with agile, relevant, and sophisticated communications-most notably through the email channel, which remains the top threat vector,” said Alan LeFort, senior Vice President and general manager of Security Awareness Training for Proofpoint. “Ensuring users understand how to spot and report attempted cyberattacks is undeniably business-critical, especially as users continue to work remotely– often in a less secured environment. While many organisations say they are delivering security awareness training to their employees, our data shows most are not doing enough.”
Proofpoint’s State of the Phish report emphasises the need for a people-centric approach to cybersecurity protections and awareness training that accounts for changing conditions, like those experienced by organisations throughout the pandemic. Survey findings reveal a lack of tailored training. For example, 92% of UK. infosec survey respondents said their workforce shifted to a work-from-home model last year, but only 36% said they trained users on safe remote working.
“The findings related to remote working situations in the UK. are eye-opening,” said Adenike Cosgrove, Cybersecurity Strategist, International, Proofpoint. “Nearly all the UK. infosec professionals we surveyed said they supported a new, remote working model for at least half of their organisation’s workers last year. And yet just over a third of these respondents said workers were trained about security practices related to working from home. At the same time, more than half of UK. workers say they allow their friends and family to access work-issued devices to do things like shop online and play games. These gaps represent a significant risk and reinforce the need for security awareness training initiatives that are tailored to the remote workforce.”
Proofpoint’s State of the Phish details actionable advice as well as a deep analysis of the phishing threat landscape to help reduce risk. Key UK findings include:
- 92% of UK organisations required or requested most of their users to work from home in 2020, but only 36% train their employees about best practices for remote working.
- 44% of UK infosec survey respondents said their organisation had experienced a ransomware attack in 2020 and paid the ransom (global average was 34%).
- For those who paid, 59% of UK respondents said their organisation regained access to data/systems after first payment. 39% were hit with additional ransom demands that they agreed to pay, eventually regaining access to data.
- 60% of UK organisations use a consequence model, meaning there are punishments for users who repeatedly fall for real or simulated phishing attacks. The top consequences for repeat offenders were counselling from the infosec team (63%), impact to yearly performance reviews (48%) and disciplinary actions (like a written warning) enforced by HR (40%). Termination came in above global average at 27%, only behind the US at 30%.
- 68% said a consequence model led to an improvement in employee awareness, the lowest vote of confidence across all respondents that this approach actually works, against a global average of 82%.
Key global findings include:
- More organisations experienced successful phishing attacks in 2020 vs. 2019 (57% vs. 55%) according to the third-party survey. In addition, business email compromise (BEC) attacks continue to be a serious concern.
- Of the two-thirds of survey respondents who said their organisation experienced a ransomware infection in 2020, more than half decided to pay the ransom in the hopes of quickly regaining access to data. Of those who paid, 60% regained access to data/systems after the first payment. However, nearly 40% were hit with additional ransom demands following an initial payment-a 320% year-over-year increase. Thirty-two percent reported that they subsequently agreed to pay the additional ransom demands-a 1,500% increase over 2019.
- Eighty percent of organisations surveyed indicated that security awareness training has reduced phishing susceptibility. But while 98% of infosec professionals surveyed said their organisation has a security awareness training program, only 64% offer formal training sessions to users as part of cybersecurity training initiatives.
- Proofpoint customers’ overall average failure rate on phishing simulations was 11%, down from 12% in 2019. The overall average resilience factor of 1.2, indicating that, in general, these organisations’ users are more likely to report a suspicious email than to interact with it.
- Manufacturing organisations faced the highest average volume of real-world phishing attacks in 2020 according to Proofpoint Threat Research. Organisations in this industry were among the most active in testing their users’ response to phishing threats, achieving an overall failure rate of 11%.
- At the department level, purchasing teams were top performers, with a 7% average failure rate. Maintenance and facilities teams were the worst-performing departments analysed, registering average failure rates of 15% and 17%, respectively.
Organisations are encouraged to proactively develop people-centric cybersecurity strategies that account not only for shared experiences across regions, industries, and departments, but also the threats that are unique to their missions, goals, and people.