In their latest report, IDG and the pros behind Carbonite + Webroot spoke with 300 global IT professionals to learn the current state of phishing. We learned that 93% of IT executives are still concerned about phishing – and it’s no wonder, as companies averaged 28 attacks each over the previous 12 months.
Luckily, the report details how to fight back. With the right preparation and the right protection, companies can prevent all but 0.3% of attacks.
Phishing capitalizes on COVID
Phishing attacks have been part of the cybercriminal arsenal for years. But it’s only recently that phishing has flourished into the scourge it is today. That’s because cybercriminals have found success by targeting COVID-19 fears with their schemes.
In fact, phishing attacks spiked by 510% from just January – February 2020, according to the 2021 Threat Report. These increases leveled off by the summer, but phishing attacks still increased 34% from September – October 2020. Overall, 76% of executives report that phishing is still up compared to before the pandemic.
COVID-based tactics might purport to have new info on a shutdown, to share COVID stats or even suggest info from your doctor. But in each case, cybercriminals are looking to steal your information.
Who’s getting attacked?
IT departments are feeling the brunt of these attacks, with 57% of them targeted by phishing. Carbonite + Webroot Sr. Security Analyst Tyler Moffitt says, “Even if malware targets someone with lower-level access, the attack will move laterally to eventually find an IT administrator.”
He goes on to say that attackers can then linger for a week or more to find valuable data or steal a balance sheet that gives an indication of how much ransom to charge.
Because they often have important credentials, top executives and finance groups are also common targets. Public-facing customer service employees also offer easy access.
Consequences of phishing
75% of global IT executives say they’ve suffered negative consequences from phishing attacks. That includes:
- 37% suffered downtime lasting more than a day
- 37% suffered exposure of data
- 32% lost productivity
- 19% had to pay legal or regulatory fines
A layered approach to security
But it’s not all bad news. Yes, phishing is using new tactics to target businesses. But there are ways to fight back.
The report cites training as one of the most effective tools. But the frequency of training varies greatly, and 25% of those who use it don’t include phishing simulations. By using security awareness training that offers regular simulations, you can reduce phishing by up to 70%.
But even with great training, the report notes that people will still click some of the time. That’s why a multi-layered approach gives peace of mind that not all is lost if one person messes up.
No layer is 100% effective, but taken together many layers get very close. A defense in depth security posture utilizing DNS and endpoint detection as well as a sound backup strategy can give you confidence that you’re prepared to withstand even a successful phishing attack.