Intermedia, a cloud business applications provider, has released Part 1 of its 2017 Data Vulnerability Report, which examines the security behavioral habits of more than 1,000 office workers in the United States.
Your employees are unknowingly granting hackers access
Despite organizations educating employees about cyber threats and security best practices, office workers continue to fall victim to attacks—and not just entry-level employees. Owners/executives (34%) and IT workers themselves (25%) report being victims of a phishing email more often than any other group of office workers.
Phishing, the process by which cyber criminals attempt to coerce email victims into making a financial transaction, disclosing login credentials or visiting a malware-laden website, is only getting worse as attacks become increasingly sophisticated and fool more and more employees into revealing critical company data. In fact, according to Intermedia, last year total phishing attacks surpassed 1.2 million–a year-over-year increase of 65%. And according to the FBI, business-email compromise scams accounted for more than $5 billion in losses for businesses between October 2013 and December 2016.
With the recent Equifax breach, highly personal information was taken from up to 143 million individuals including names, birth dates, addresses, Social Security numbers, and drivers’ license numbers. Now there’s that much more ammunition out there to help scammers launch targeted phishing scams, impersonating someone within the organization or a trusted friend.
Phishing attacks have dramatically increased, but education efforts have not
In addition, while 70% of office workers say that their organization regularly communicates with employees about cyber threats as a means of prevention, significant gaps between confidence and effectiveness remain:
Security trainings are breeding a high level of confidence: 86% of office workers report that they feel confident in their ability to detect phishing emails.
Yet phishing techniques still fool office workers: Roughly one in five employees (21%) admit to being victims of phishing emails, and those are just the employees who admit it. Nearly a quarter of Gen X office workers (23%) and Boomer-aged office workers (23%) say they have been the victim of a phishing email, compared to 17% of millennial office workers.
While the number of attacks has dramatically increased in the past two years, employee training has not. Ryan Barrett, Intermedia’s Vice President of Security and Privacy, elaborates: “Today’s rapidly changing threat landscape makes it more important than ever for companies to educate employees on new types of cyberattacks and vulnerabilities. Take the recent Equifax breach, for example, which is by far the most invasive when you consider the sheer amount of sensitive personal data that’s been accessed. This incident further arms scammers and hackers with information to craft exceptionally compelling, targeted phishing attacks. At this point, businesses should assume that bad actors are going to try to use this information to gain access their systems.”
According to Intermedia’s 2015 Insider Risk Report, 72% of office workers said they had received training on their company’s security practices, compared to 70% in this year’s report. While employees are receiving training, the frequency and type of training isn’t comprehensive enough.
Barrett continues, “It is no longer enough to just talk to employees about these threats, as this type of education can actually lead to a false sense of security, as our latest study shows. Instead, companies need to offer regular interactive IT security trainings, simulate security incidents to help employees detect and prevent cyberattacks, and talk about the risks when big data breaches are in the news. While office workers are confident in their skills, they still are susceptible to breaches, and organizations need to be doing more to protect themselves.”
The report
Part 1 of Intermedia’s 2017 Data Vulnerability Report tests the validity of employee confidence and awareness around phishing attacks. The report provides tips and advice about what companies should do to better protect themselves against future threats before costly compromises ever occur. Parts 2 and 3 of this report will look at the financial implications of ransomware as well as data loss from employees’ actions within an organization. You can view Part 1 of the report, as well as sign up for series alerts, here.