There's really no way to have a thorough, comprehensive discussion of corporate cybersecurity today without addressing the issue of phishing. Phishing has become one of the most popular techniques embraced by cyberattackers around the world, and it's easy to see why.
Compared to most other hacking strategies, phishing is easier and more likely to yield success.
Given all of this, it's not surprising that phishing remains a major cybersecurity issue that shows no signs of waning, as The Telegraph contributor Robert Holmes recently highlighted.
"97% of people are unable to identify a phishing email when they see one."
Phishing problems
Holmes offered a number of statistics which put into sharp relief just how big of a problem phishing has become for companies' cybersecurity efforts. Most notably, he asserted that 97 percent of people are unable to identify a phishing email when they see one. This speaks directly to the effectiveness – and danger – inherent to phishing attacks: There is no way to block or thwart them purely through the use of IT tools. Defense against phishing depends entirely on employees' awareness and knowledge, and most people simply have not reached a sufficient level of expertise in this capacity.
Additionally, Holmes noted that RSA research has found that a new phishing attack occurs approximately every minute. What's more, these attacks cost firms about $4.5 billion in 2014 alone.
Different tactics
The writer pointed out that phishing attacks can adopt a number of different forms, although they all generally share the same goal. Holmes explained that these cyberattacks may attempt to represent an official government agency, a financial institution or even just a private-sector retailer that the target is likely to recognize and trust.
Phishing cyberattackers also vary in terms of their goals. Some aim to see immediate, direct profits by stealing and utilizing their targets' credit cards and other sensitive data. In the case of targeted employees, this information will include clients' financial data, as well. In other cases, Holmes pointed out, phishing cyberattackers have no intention of actually using the stolen data themselves, but will rather sell it on the black market to other cybercriminals.
Whatever the specifics, phishing attacks share the goal of imitating a trustworthy source in order to track the target into opening a link or downloading a file that will grant access to the cyberattacker. And as Holmes' statistics demonstrate, these efforts have proven to be extremely successful in recent years.
Employee focus
In light of the damage caused by phishing attacks, as well as their continued popularity, it is imperative for business leaders to recognize this threat and take steps to protect their organizations and their clients from cyberattackers utilizing these tactics.
Critically, this should be seen as a top-level priority for all companies, not just large enterprises. While bigger corporations may seem like a more tempting target for phishing attacks, many cybercriminals adopt a more-is-better approach to their phishing attacks, including firms of all sizes and sectors in their efforts. The rewards for achieving success in any phishing effort are so great that cyberattackers will aim for as many potential targets as possible.
The need for phishing-specific defenses is therefore clear. But as Holmes pointed out, this can be an uphill battle. As further evidence, a recent Bloomberg BNA report found that employee negligence accounted for more than one-third of all surveyed cybersecurity incidents. Current anti-phishing efforts are not sufficient.
Instead, companies should look for information security awareness programs that make phishing a key focus and provide genuine practice for participants. Instead of merely describing a typical phishing attack, these offerings should incorporate simulations and interactive training and engagement. Only such a comprehensive, in-depth approach can help to prepare a workforce to recognize phishing attacks when they see them.