The almost total pervasiveness of phishing scams and other email-based attacks can be seen in a recent survey that found almost 90 percent of the cybersecurity executives saying their company was hit with an attempted or successful email-based cyberattack in the last year.
The Barracuda survey found employers are experiencing more email attacks with 81 percent seeing an increase in the last year, and 25 percent of those describing the increase as being dramatic. This is leading to the cost of mitigating costs with 81 percent seeing a jump in cost with 22 percent describing the price rising dramatically.
The price that must be paid in the wake of an attack is not just monetary. Sixty-seven percent of those surveyed said an email incident forced their IT team to divert needed resources from other priorities to deal with an attack; employee productivity was interrupted said 61 percent and 10 percent reported that their firm's reputation took a hit.
Having sensitive corporate information stolen was judged to be the most costly kind of attack, followed by ransomware and business email compromise. When it came to recovering from a ransomware attack 12 percent of the companies decided their only option was to pay the ransom with the remaining 88 percent declining to do so. Interestingly, enterprise-size businesses were more likely to pay compared to small and medium-size operations.
“Based on how pervasive ransomware attacks have become, along with the accompanying media coverage, it's somewhat surprising to see such a small percentage of companies paying. Perhaps it's actually a glimmer of hope: maybe organizations had comprehensive backup solutions in place and were able to rapidly recover critical data without paying,” the report stated.
Thirty-five percent of the surveyed executives said their firm had been hit with a ransomware attack in the last year with 75 percent of those individual saying the malware was delivered via email, 32 percent from the web and 23 percent through network traffic.
The source of the problem was quite obvious with 84 percent saying poor employee behavior is a greater email security concern, compared to the 16 percent who said their company had inadequate tools to deal with the threat.
When it came to who in the company security execs are most concerned about responding incorrectly to a phishing attack 46 percent pointed to individual contributors, 15 percent to team managers, but 39 percent fingered executives as being the people most likely to cause fall for a fake email. And this is particularly dangerous because 70 percent of those asked said executives were the most likely individuals to be targeted by a malicious actor and have the greatest access to sensitive company information.
When it comes to which department is most vulnerable to a phishing attack, finance was the greatest problem, according to 24 percent of the respondents. Followed by sales, 17 percent; customer support, 15 percent; operations 14 percent and marketing, 9 percent. Human resources, IT and legal all were considered less susceptible.
“It's not a surprise that finance employees are viewed as the most vulnerable, considering their access to the crown jewels, including bank account information, wire transfer numbers and other valuable business information. It's somewhat surprising and interesting, however, that employees of legal departments were so far down the list, as they typically have access to strategic information related to lawsuits, sensitive information that could be used for insider trading, and other highly confidential matters,” the report said.
With this level of threat activity, it is no wonder that the respondents are placing a huge emphasis on training. Everyone surveyed said end-user training is important to help prevent attacks and almost all, 98 percent, said avoiding classroom-style lessons is the best way to train people and companies instead should use phishing simulations to include customized examples that are relevant to the employee and their company.
The survey was composed of 634 executives, individual contributors and team managers serving in IT-security roles in the Americas, EMEA and APAC.