wei - stock.adobe.com

UK organisations swift to chide phishing victims

While UK organisations are doing better at security training, many are quick to punish employees who fall victim to phishing attacks, whether real or simulated

Organisations in the UK are significantly more likely than the global average to sanction or punish employees who engage with real or simulated phishing attacks, and are also more likely to take severe actions, with 42% inflicting monetary penalties, versus 26% worldwide, and 29% going so far as to fire people based on their interactions with phishing attacks, versus 18% worldwide.

This is among some of the more concerning findings of Proofpoint’s latest annual State of the phish report, which reveals new insight into how email-based attacks are now coming to dominate the threat landscape by a country mile. The data was collated partly from commissioned surveys of 600 IT and cyber professionals and 3,500 regular employees in Australia, France, Germany, Japan, Spain, the UK and the US, and from nearly 100 million simulated phishing attacks and 15 million reported phishing emails.

“Where 2020 taught us about the need to be agile and responsive in the face of change, 2021 taught us about the need to better protect ourselves,” said Alan Lefort, senior vice-president and general manager of security awareness training for Proofpoint.

“As email remains the favoured attack method for cyber criminals, there is clear value in building a culture of security,” he said. “In this evolving threat landscape and as work-from-anywhere becomes commonplace, it is critical that organisations empower their people and support their efforts to learn and apply new cyber skills, both at work and at home.”

Proofpoint found that attackers were more active in 2021 than in 2020, with 78% of organisations seeing email-based ransomware attacks arriving last year, and 77% seeing business email compromise (BEC) attacks, which Proofpoint said reflected cyber criminals’ focus on compromising people rather than technical processes. Attacks last year were also more impactful, with 83% of respondents reporting at least one successful phishing attack versus 57% in 2020.

In the UK, things were even worse, with 91% saying they had faced broad phishing attacks, and the same number successfully compromised. Some 84% said they had seen at least one email-based ransomware attack, and 81% had seen one or more BEC attack.

A total of 78% of UK organisations said they had needed to deal with at least one ransomware infection stemming from a direct email payload, second-stage malware delivery or exploit, of which 82% paid off their attackers to some degree.

Read more about phishing

UK organisations also face high volumes of non-email-based social engineering attacks, with over 20% seeing more than 50 smishing, social media or vishing attacks, and 78% facing at least one malicious USB drop.

“A staggering amount of UK businesses experienced a phishing attack in 2021, and 91% of those attacks were successful,” said Adenike Cosgrove, international cyber security strategist at Proofpoint.

“Further, security professionals in the UK are the most likely to face high volumes of non-email-based social engineering attacks. This compounds the fact that the UK is facing threats from all angles, however the key to battling these threats starts with employees.

“All of these attacks require human interaction to be successful, emphasising the need for increased employee security awareness and training. Compared to global counterparts, UK workers had the highest awareness of the term ‘phishing’, which is promising, but at only 62% we still have a way to go to ensure businesses remain secure.”

UK organisations were found to consistently outperform the global average when it comes to staff cyber security training, with 59% providing training to everyone in the organisation, versus 57% worldwide, and 53% conducted specific, tailored training exercises with those who they know, or are at higher risk of, being targeted.

As a result, said Proofpoint, Brits tended to have a higher-than-average awareness of the meaning of key cyber security terms and concepts, such as phishing, smishing, malware and ransomware.

Read more on Security policy and user awareness