The State of the Phish Address for 2019 analyzes data from tens of millions of simulated phishing attacks in addition to the results of two surveys given to info-sec professionals and end-users all over the world. This report uniquely delivers direct feedback from information security professionals on the current threat landscape and the challenges lying in wait there and provides data-driven intelligence for CISOs and CSOs for managing end-user risk.
Here are some highlights from the annual report.
The Extent of End-user Risk
The Human Factor 2018 Proofpoint reports that cyber attackers are becoming more focused on people, not defenses, focusing on our natural curiosity, desire to be helpful, love of bargains and time constraints. Email is the top attack vector, followed by suspiciously-registered domains, fake browser plugin updates and the lure of pirated content through social media-based attacks. Additionally, end-users are found not to be familiar with info-security terms and many are relying entirely on IT teams to automatically discover and fix accidental downloads of malware.
A lack of clarity in understanding the role of IT in this context could be instilling a false sense of security in end-users and unnecessarily draining info-sec resources. In regard to the younger generations of digital natives, familiarity unfortunately does not necessarily lead to a clear understanding of cyber security or reduced risk. In fact, Baby boomers and Gen X respondents exhibited much stronger recognition of phishing and ransomware.
Info-sec professionals report a more active social engineering landscape in 2018 and reported that all types of attacks happened more frequently than in 2017. 83% of survey respondents indicated experiencing phishing attacks; 49% experienced vishing and/or smishing (voice or SMS/text phishing) attacks; 4% faced USB-based social engineering attacks; 64% experienced spear phishing. These numbers respectively represent 7%, 4%, 1% and 11% increases from 2017.
Security Awareness Outcomes and Opportunities
So what should be done to mitigate these increasing risks? A greater focus is recommended for credential compromise as this vector of attack quadrupled between Q2 and Q3 of 2018. A steady 9% average failure rate of simulated phishing attacks indicates the value of knowledge and that end users continue to apply learned skills and remain alert to different phishing traps.
It is also recommended to thoroughly challenge and educate end users over time with phishing simulations which include commercial- and cloud-themed campaigns such as shipping confirmations and messages about downloading documents from cloud storage services.
Looking for managed IT services to help your small or medium business combat cyber security threats?
Contact us for a free risk assessment.