Story image

Workplace inboxes still plagued by phishing attacks

31 May 2019

Mimecast’s annual State of Email Security report confirms that social engineering is still plaguing businesses, along with other email threats including ransomware and phishing attacks.

The report found that impersonation attacks, whereby attackers impersonate a colleague, high-ranking executive or partner in order to trick recipients, increased 67% compared to 2018 figures.

That suggests that cybercriminals are increasingly using the tactic to steal data and deliver threats. Of the 1025 global IT decision makers polled for the study, 73% had been impacted by direct losses as a result of impersonation attacks. Those losses included data loss (40%), financial loss (29%), and customer loss (28%).

Email phishing attacks are still as prevalent as ever – almost all (94%) of respondents indicated that they had experienced phishing and spear phishing attacks in the last 12 months. Additionally, 55% saw an increase in phishing attacks during the same period.

The report found that 61% of respondents believe it is likely or inevitable their organisation will suffer a negative business impact from an email-borne attack this year. The report also found that business-disrupting ransomware attacks are up 26% compared to last year.

Forty-nine percent of respondents noted having downtime for two to three days, whereas 31% experienced downtime for four to five days.

According to Mimecast vice president of threat intelligence Josh Douglas, email security systems should be considered the front line defence for most attacks. But data alone doesn’t create value.

“Survey results indicate that vendors need to be able to provide actionable intelligence out of the mass of data they collect, and not just focus on indicators of compromise which would only address past problems.”

“Financial, Manufacturing, Professional Services, Science/Technology as well as Transportation Industries are top targets. Understanding these key pain points helps organisations build a more comprehensive cyber resilience plan.”   

Awareness training should be part of that cyber resilience plan. The report says that human error ranks higher for cyber risks that both software flaws and vulnerabilities. 

What’s more, half of surveyed respondents said their organisations conduct awareness training quarterly or less frequently, despite the fact that awareness training is catching on as an effective security tool.

“The most widely used method (62%) of awareness training happens in a group session. Following group training sessions, other popular methods include interactive videos highlighting best/worst security practices (45%), formal online testing (44%), reference lists of tips (44%) and one-on-one training sessions (44%),” the report says.

“These results reinforce the need for engaging training that is delivered persistently over time and that concentrates heavily on helping employees detect and avoid email-borne attacks.”