Risk managers, legal experts and brokers say phishing and social engineering are, by far, the biggest security threats facing their companies and clients. In fact, 80 percent of legal experts polled by Advisen for Experian Data Breach Resolution’s 2017 Cyber Risk Preparedness and Response Survey, 68 percent of brokers and 61 percent of risk managers cited phishing/social engineering as their top concern.
Why do they feel that way? A look at the numbers and some insight into human nature can explain their fears — and help you understand why your organization should be just as concerned about phishing risks.
By the numbers
Phishing and social engineering are particularly effective forms of cyberattack because they use technology and knowledge of human nature to manipulate employees into actions that serve the attacker’s purpose. How effective are they?
- Employees succumbing to a targeted phishing attack was one of the top two insider risks cited by executives who responded to the Ponemon report Managing Insider Risk through Training and Culture.
- Sixty-one percent of information security professionals polled by Wombat Security for its 2017 State of the Phish report said their organization had been the victim of a phishing attack.
- According to the Ponemon Fourth Annual Preparedness Study, 38 percent of respondents are not confident they can deal with a spear phishing incident
The human risk factor
Phishing in general and spear phishing in particular are successful because human beings are often the chink in an organization’s cybersecurity armor. All it takes is one overly curious and under-cautious employee clicking on a suspicious email, or a well-meaning worker who responds to a seemingly authentic request for proprietary information. Those scenarios are the stuff of nightmares for information security professionals, and unfortunately they happen all too frequently.
Multiple studies show that negligent employees cause more data breaches than other sources, whether they succumb to a phishing attack or lose a company laptop at the airport. However, studies also show that cybersecurity training, including a component on phishing, can help reduce employee-related risks.
Training is critical
Among organizations that train employees on how to spot and avoid phishing attacks, 52 percent reported they were able to see quantifiable results — fewer successful phishing attacks — based on their training, Wombat said. Respondents to the Advisen survey stressed the importance of creating a company culture in which cybersecurity is everyone’s job and knowledge of phishing and how to thwart attacks is the norm.
Employee training in cybersecurity should begin as part of the onboarding process when the worker joins your organization, and everyone should get a refresher at least annually. While 67 percent of those surveyed by Ponemon said their organizations didn’t incentivize employees to proactively protect sensitive information or report potential issues, any successful culture of security should reward those who are embracing their roles as protectors — and not just punish those who fall short.