Blog IDECSI

Idecsi: Are phishing stats real?

Written by Daniel Bénabou | Nov 12, 2018 4:28:00 PM

Everywhere you turn on the Internet, you can find cyber security statistics – and they’re all very scary. I figured I’d pen a few quick words on some the stats I’ve seen, to try and work out how much we should care, or what they’re really telling us.

“56% of organisations in a survey of 1,300 IT decision makers identified targeted phishing attacks as their biggest current cybersecurity threat.” 1

This is a great starting point. It’s almost a cliché that phishing attacks are the biggest cybersecurity threat. But what is a phishing attack exactly? What are the consequences to a business?  Okay, I know the literal answer to the first question, and so do you, but my point is different: a successful phish can lead to any number of different things

  • Compromised credentials – now they’re in your email or documentation management system
  • A fraudulent payment made / bank account details changed
  • Installation of malware
  • Access for ransomware
  • Abusive use of your domain name to send phishing emails to your customers, suppliers, etc
  • And many other things I’m sure you can think of as easily as me

The other thing about phishing is that it works, really well. When running fake phishing attacks within a company, an immature organisation has as much as a 40% click through rate – that means 40% of employees will click on a link in a phishing email. According to some vendors, if your staff is well‑aware and well-trained, that drops to 5%1. But just think about that. Imagine you have 1000 staff. 5% means that 50 people just clicked. If you have 10,000 staff, 500 of them clicked. That’s a hell of a lot of compromised mailboxes, fraudulent payments or malware installed – from a mature organisation!

Therefore, when considering how to defend an organisation against phishing, you have to

  • (a) assume it will work, and
  • (b) consider how to protect against the specific consequences.

How do you spot hijacked email accounts? How will you ensure that payments are prevented if staff are fooled?
One part of the answer is monitoring and detection technology of the sort that IDECSI provides.

A few words about Ben Miller

Ben Miller is an experienced technologist and entrepreneur with a background in mathematics and software engineering. He is focused on bringing new technologies to market, which change conventional thinking. Within cyber security, we have long been used to complaining about users, and driving more work into the security team. Ben’s particular focus today is technologies which challenge this approach and instead make user empowerment a key part of the cyber discussion.

[1] https://www.cyberark.com/resource/cyberark-global-advanced-threat-landscape-report-2018/
[2] https://siliconangle.com/2017/11/30/phishing-attacks-cost-1-6m-average-enterprises-successfully-fighting-back/