CEOs, Cybersecurity Leaders, Stressed Out By Phishing: Egress Report
Phishing threat insights from a study of 500 cybersecurity leaders.
Phishing has been around for decades and yet with each passing year, attacks are becoming increasingly pervasive and destructive. According to an independent study of 500 cybersecurity leaders conducted by UK security vendor Egress, 95% of leaders are stressed about email security, questioning their effectiveness. Let’s explore key findings from the report:
Phishing Impact Worsens
Threat actors use deceptive practices, impersonate trusted individuals or organizations and target victims with phishing emails, messages, URLs, spoofed websites, and malicious attachments. Last year Egress reported that 92% of organizations fell victim to phishing attacks of which one-third contained ransomware payloads. Moreover, 96% of organizations experienced a negative impact from a phishing attack, a 10% jump from the previous year. Negative outcomes included financial losses (64%), customer churn (47%), and reputational damage (42%).
58% of Businesses Experienced Account Takeover Attacks
An account takeover attack is the ultimate impersonation tactic where threat actors gain unauthorized access to legitimate accounts via phishing, dark web marketplaces, credential stuffing or credential harvesting, then pose as employees to infiltrate systems, steal data or commit fraud. Based on the research, 58% of businesses suffered account takeover attacks and 79% of those were a direct result of successful phishing scams.
Incidents Bypass MFA Security
Multi-factor authentication (MFA) is often labeled as the ultimate defense against identity theft and account takeover attacks. However, contrary to popular belief, there has been an increase in account takeovers that were MFA-enabled. Threat actors can use anything from ready-made phishing kits to man-in-the-middle techniques to compromise MFA security.
Phishing Threats From The Supply Chain
Suppliers enjoy an implicit trust with the principal, making them an attractive target to adversaries. Smaller organizations may not have the same level of security defenses as their larger counterparts, making them low-hanging fruit. Once threat actors successfully compromise supplier accounts, they can be weaponized for highly targeted phishing scams or Business Email Compromise attacks against partner organizations. Security leaders are observing that phishing attacks are emerging not only from external hackers but internally, from compromised supply chain accounts.
Mounting Concerns Around Use of AI In Phishing
It’s impossible to talk about phishing and not mention the malicious use of generative AI. Threat actors can leverage tools like ChatGPT to create and automate multilingual phishing messages devoid of grammatical errors. AI-chatbots can also mimic human interactions and can be used to produce phishing campaigns at scale. AI-based audio and video synthesizing tools can mimic audio and visual personas of individuals and create hyper-realistic clones (a.k.a. deepfakes) which can be weaponized for cyberattacks. According to Egress, more than 60% of security leaders are deeply concerned about the use of deepfakes in phishing attacks and are losing sleep over the use of AI chatbots to create phishing campaigns.
Organizations Run Security Training To Meet Compliance Obligations
The Egress study shows that even though organizations conduct security awareness training, cybersecurity leaders are doubting their effectiveness when applied broadly and not individually customed by role or department. This doesn’t come as a surprise, since most organizations train employees with the objective of meeting compliance obligations instead of focusing on risk reduction. The research further revealed that only 19% of organizations go the extra mile to personalize security training based on job function and department.
Organizations Must Alter Their Phishing Mitigation Approaches
Below are some recommendations and best practices that organizations can adopt to alter their current mitigation approaches:
- Be Behavior-focused: Awareness should not be the only objective of security awareness training. Leverage phishing simulation tools, personalized training, contests, and gamification. Work on nurturing the security culture as well as employee attitudes, behaviors, and mindset. Ensure that cybersecurity is included on leadership and boardroom agendas.
- Switch to Phishing-resistant MFA: Phishing-resistant MFA is more reliably secure than traditional MFA and less susceptible to man-in-the-middle attacks and common types of phishing scams.
- Fight AI with AI: Consider deploying AI-based email security gateways that can perform real-time analysis of email content and verify whether it has been artificially generated by AI at scale. In addition, messages that are unusual or received out of context (even from trusted senders) should be flagged for further inspection and verification.
- Mandate Security In The Supply Chain: When bringing on new suppliers or partners, or renewing contracts with existing ones, be sure they undergo appropriate security training and meet minimum cybersecurity standards before they engage in business with you.
Phishing is nothing but an outcome of human error. To solve the human error problem, security teams must gain a better understanding of how users generally respond to online interactions (i.e., impatient, impulsive, distracted). Introduce tools and processes that work for people, not against them. Consider using a personalized coaching approach to security awareness training whereby users can immediately spot and report scams and social engineering attempts. Utilize the power of AI to block maliciously automated phishing campaigns. Update authentication methods and follow best practices to reduce the likelihood of human error.
Written by Stu Sjouwerman.
Have you read?
Countries: Women in the workforce. Countries: Personal space. World’s Most (And Least) Religious Countries. Best Countries to Invest In Travel, Tourism, and Hospitality. Most Forested Countries In The World.
Add CEOWORLD magazine to your Google News feed.
Follow CEOWORLD magazine headlines on: Google News, LinkedIn, Twitter, and Facebook.
Copyright 2024 The CEOWORLD magazine. All rights reserved. This material (and any extract from it) must not be copied, redistributed or placed on any website, without CEOWORLD magazine' prior written consent. For media queries, please contact: info@ceoworld.biz