A new report from Komodo security suggests that until at least 2020, phishing will remain the most commonly used tactic of conducting advanced attacks on businesses, for a very good reason. 50% of the time those attacks are successful.
The worrying statistic comes from research conducted at Friedrich Alexander University in Germany in 2016, which suggests one in two computer users routinely click hyperlinks in emails from unknown individuals.
Further, in contrast to other forms of cyberattacks, phishing is simple. It requires no IT skills to devise a simple phishing email, and malware and ransomware can be hired or purchased on the Darknet for next to nothing.
It is even possible to pay a small amount for software to run a phishing campaign. The software harvests data from the Internet, including email addresses, domain names, employee names, mail server data. With the software it is easy to create lists of email addresses to spam and domain spoofing is made simple.
With such a high click rate, any expenditure is likely to be rapidly recouped by selling stolen data and login credentials on the darknet. It is therefore no surprise that phishing is the number one method of attacking businesses, and why the threat from phishing is now greater than ever before.
The ease of conducting phishing attacks and the high potential rewards means the threat from phishing is unlikely to decrease, and if anything, the threat will continue to rise. While businesses can implement a wide range of security defenses to prevent phishing emails from being delivered to end users, it is not possible to block 100% of those messages.
What is needed by businesses is a change of attitude. They must place less reliance on technology to block the threat and must now concentrate on bringing the security awareness of their employees up to a much higher standard.
Anti-phishing and security awareness training is now a necessity, but even companies that provide training need to up their game. Providing staff with an annual training session is no longer sufficient. Security awareness training must be an ongoing process, with regular training sessions provided throughout the year. Businesses also need to be running continuous phishing simulations on their staff to determine how effective the training has been, and to find out which employees require further training.
Unless businesses start training their employees to become security assets and play a greater role in the security of their organization, costly data breaches will continue to occur.