In its report Hook, line and sinker: Why phishing attacks work, global cyber security firm Webroot polled 1,000 office workers in each of Australia, the US and the UK to gain insights on why phishing scams have become so effective in capturing data and money from individuals and businesses alike.
The Australian findings make for troublesome reading for employers.
It found that more than half (56 per cent) of the local workers have had their data compromised, and for 28 per cent, this had occurred more than once.
Yet three in 10 workers who had been the victim of a data breach admitted they had not taken the most basic of steps to safeguard themselves: changing their passwords. Only a third said they reported the breach to a relevant government agency.
The report also found that Australians overestimate their ability to detect a phishing message, with 91 per cent believing they can tell the difference between a fake and a real message, despite less than half realising phishing scams can take place through video chat, postal mail or app notifications. And only 53 per cent realised scams can also take place by phone.
“Phishing attacks continue to grow in popularity because, unfortunately, they work,” said Webroot’s product marketing director, George Anderson.
“Hackers and criminals weaponise the simple act of clicking and employ basic psychological tricks to inspire urgent action. It is vital that consumers educate themselves on how to protect both their personal and financial data and what steps to take if their information is compromised or stolen.”
Mr Anderson added: “For businesses, that means implementing regular simulated phishing and external attacks that address the various ways hackers attempt to breach organisations through their users.”
Webroot quoted US-based research professor Cleotilde Gonzalez, of Carnegie Mellon University in the US city of Pittsburgh, as stating that “security and productivity are always in a trade-off”.
“People put off security because they are too busy doing something with a more ‘immediate’ reward,” she said, suggesting that businesses and their employees need “a mindset makeover” to keep long-term cyber security needs in the present.
Industry itself partly to blame: CRTT
While the act of changing passwords — particularly after a data breach — is an individual one, the Cyber Resilience Think Tank (CRTT), a collective of digital security organisations, suggested that the IT and security industry itself is partly to blame for the current security threat and the shortage of skilled professionals available to address it.
CRTT found in its e-book Decluttering your security environment that the average number of security tools within an enterprise is 75, which it said “can be counterintuitive, as it results in too much complexity”, despite how well meaning the industry may be at combating security breaches.
“Controls are a drag coefficient on people, data and business processes,” said Malcolm Harkins, chief security and trust officer at Cymatic.
“When you have too much friction in your environment because of the controls, you’re actually creating a systemic business risk for your organisation.”
Agreeing with this belief was Mimecast’s vice-president of threat intelligence, Joshua Douglas.
“Despite the number of tools and technologies on the market rapidly multiplying, the rate of attacks isn’t slowing down,” Mr Douglas said.
“Organisations often struggle to navigate through the complexity of having multiple security tools and under-resourced IT and security teams. There’s a need for the industry to work better together to help improve organisations’ security postures.”
Meanwhile, Cybereason CSO Sam Curry said that the skills gap plaguing the industry is “something we have largely created for ourselves”.
“It’s the complexity issue that has manifested itself in human form. It’s hard to find someone that knows 75 security solutions,” he said.
Declutter your IT security
CRTT said there are three key things that businesses can do to make their IT security environment more user-friendly and less cluttered:
- Take stock of what you have, make sure it is connected and use it. “As security vendors make advances to their products, companies may not be aware of new features and functionality. A key first step is to turn on all of the relevant features when assessing what products are needed,” it said.
- Don’t overinvest. “Consider a plan where you take a methodical approach to see incremental improvement over a finite period. Even if the changes are minute, they can add up to a more secure, less complex environment over time.”
- Consider your resources. “When adding new services to the security stack, ensure that it’s correct for the environment, specifically the resources and employees required to implement and manage it.”