Research by Sophos has revealed that almost half of UK businesses have been compromised by phishing attacks in the last two years.
The research explained that bigger firms (those with between 500 and 1,000 employees) are more likely to be affected by such attacks, despite 78% of them offering their staff enhanced cybersecurity training, compared to just 50% of businesses with 250 or fewer employees.
.@Sophos: 45% of UK orgs hit by #phishing attacks from 2016 – 2018, w/ 54% report employees replying to unsolicited emails or clicking links in them; 54% of orgs of 500 – 1,000 employees been #phished in past 2 years. @SapioResearch @dannyjpalmer @ZDNet https://t.co/G3O7U9Rmg0
— Jay Kelley (@JayJKelley) March 13, 2019
Experts Comments below:
Tim Sadler, CEO at Tessian:
“As this research demonstrates, cybersecurity training isn’t a solution in itself. While it can educate employees on the tell-tale signs of phishing emails, it can’t instil total vigilance or eradicate the factors that lead to mistakes, such as tiredness or getting distracted. These human weaknesses are inevitable and, as long as they remain unprotected, cybercriminals will find ways to exploit them.
Moreover, training can’t prepare employees for advanced social engineering techniques that haven’t yet been seen. Malicious actors are evolving their methods at such a rate, and with such a level of creativity and organisation, that it can be difficult to prepare individuals for what is coming next.”
Corin Imai, Senior Security Advisor at DomainTools:
“Ultimately, this comes as no surprise; anyone who has an email account is likely to have received a phishing email of some kind and businesses, as inherently more profitable victims, are even more likely to find themselves targeted.
The fact that larger businesses are at a greater risk also makes sense, as these organisations are likely to have employees of various levels of cyber-literacy, making it more likely someone will take the initial bait.
Companies need to patch their human vulnerabilities by continuing to engage in robust training programmes, as well as investing in email filtering systems which can accurately identify phishing emails.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.