In this tech-advanced world where all information and communication has undergone a paradigm online shift, phishing remains the most common threat from adversaries to breach and exploit the digital assets of people and organizations. Over the last two years, with a global pandemic, the frequency of phishing incidents has increased significantly. Organizations with sophisticated cybersecurity protocols still face this challenge as it is not only a technical problem but one that also calls for human awareness. According to a report, industries have witnessed a 6000% increase in pandemic-related phishing attacks in March last year.
Understanding The Risk In Terms Of PPP
Malicious actors design emails, messages and stealthily incorporate them as phishing emails. They manipulate clients and users to get backdoor access to organizations’ data and funds. Phish-Prone Percentage (PPP) measures the employees’ likeliness of falling for these phishing attacks (such as clicking a malicious link, entering data on a fake webpage masquerading as the original page, etc.), i.e., it measures the percentage of users who fail the phishing simulation training, and are likely to end up being the victim of a social engineering (phishing) attack. The higher the PPP, the greater is the risk, as it indicates a higher number of employees falling for the fraud. Security experts analyze these risks into measurable entities to understand the vulnerabilities and introduce safety measures and anti-phishing protocols to reduce data breaches. Maintaining a low value in the PPP index means that the human security layer of an organization is well-equipped to handle any threats. Several security platforms help organizations by providing awareness training and conducting simulated phishing tests to improve the security environment. They train the management to identify and respond to these scams and help them understand where they stand.
Why Is Phishing So Successful And Who’s At Risk?
The phishing emails or pop-ups designed by adversaries seem lucrative, and users are often drawn towards them quickly. One-click on such malicious links allows the phishing code to infiltrate the user’s system and obtain sensitive user information or introduce malware into the system that keeps feeding information to the attackers. The phishing method is booming because it is relatively hard to discern whether a user or an organization has been compromised.
A recent analysis and benchmark report by KnowBe4 following simulated phishing tests show that the results across 6.6 million users point to the fact that organizations’ failure to train their users effectively makes them highly susceptible to social engineering attacks. The Phish-Prone percentage statistics show that no single industry across all organizations is doing a good job identifying phishing attacks adequately and implementing other tactics.
- Among small organizations with less than 250 employees, the Healthcare and Pharmaceuticals industry is the worst hit, with 34% in the PPP index, followed by the Education industry at 32.9%. Sectors like Not For Profit organizations have been hit with phishing attacks more than the manufacturing industry over the last year.
- Across mid-sized organizations with around 1000 employees, the Hospitality industry has been hit hard with 42.3% in the PPP index. The Energy and Utilities enterprises follow them at 35.7%.
- Among the prominent organizations with more than 1000 employees, the Energy and Utilities establishments are more vulnerable at 52.4% on the PPP scale. The Insurance industry closely follows them with a PPP of 51.6%. The Banking sector comes next in line at 47.5%.
Sectors like large legal organizations had the lowest Phish-Prone percentage at 23.5%. Although lower in respect to other organizations, it is a strong indicator that the human security layer cannot recognize phishing attacks that can be threatening in real-time.
Demographic Impact Of Phishing
The impact of phishing attacks on various regions of the world, while similar, differs in respect to the demographic conditions and the developmental factors.
- Africa’s growth depends on its ability to adapt to a fast-paced digital and technologically advanced world. The critical factors of cyber-crime in Africa are the sudden increase in digitalization, a broad user base online, lack of human capital, and vulnerabilities in the communications and cybersecurity industry.
- The majority of phishing attacks in Europe are successful due to inadequate security protocols and insufficient awareness among users. Business email compromise (BEC) continued to rise as the adversaries specifically targeted organizations. Also, large organizations implementing remote operations have a significant risk of an attack.
- Asia has been at the frontline of these attacks for a few years now. It was found that these attacks were primarily due to human error and that organizations had to reinforce their human chain. The phishing attacks mainly resulted in ransomware and malware attacks, and one-fifth of Asia-Pacific organizations have been hit by seven or eight cyber-attacks last year alone.
- The diversity in South America was challenging for digitalization to grow and rapid growth and involvement of digital technologies paved the way for cyber-attacks to increase.
Statistics Show The Improvement That Adequate Training Can Bring About
Following the statistical analysis, some organizations undertook safety training and awareness programs to improve their security and plan to stop phishing emails. Several platforms offer training and tests to amplify the security of their client organizations. The results show that organizations across all domains significantly improved after one year or more of security awareness practices and simulated tests.
- The improvement rate for small organizations was 85% or above after going through the training.
- For mid-sized organizations, the improvement rate averaged around 80% or more.
- And for large organizations, the improvement rates went up to 80%.
(Image Source: Cyber Security Summit)
Throughout the world, phishing remains a significant lethal trap used by adversaries for cyber-attacks. Today, every major organization, big or small, is at risk of being snared by cyber-crime. Apart from stealing sensitive data from organizations, phishing attacks can also disrupt their online systems and information networks by introducing malware or ransomware. This makes it utterly crucial for organizations to implement preventive measures like anti-phishing solutions and awareness programs to curb the possibility of any cyber-attacks in today’s times.