Eighty-four percent of organizations were phishing victims last year, 59% of whom were hit with ransomware. Why, then, do less than a quarter of boards think ransomware is a top priority?
A report from insider threat management software company Egress found some startling conclusions when it spoke to IT leadership: Despite the pervasive and very serious threat of ransomware, very few boards of directors consider it a top priority.
Eighty-four percent of organizations reported falling victim to a phishing attack last year, Egress said, and of those 59% were infected with ransomware as a result. If you add in the 14% of businesses that said they weren’t hit with a phishing attack, and you still end up at around 50% of all organizations having been hit with ransomware in 2021.
Egress said that its data shows there has been a 15% increase in successful phishing attacks over the past 12 months, with the bulk of the attacks utilizing malicious links and attachments. Those methods aren’t new, but a 15% increase in successful attacks means that something isn’t working.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Despite the increase in successful phishing attempts, and despite the fact that more than half of those attacks lead to ransomware infections, only 23% of boards of directors consider ransomware a top priority. Additionally, 52% of organizations allocate less than one quarter of their security budget to dealing with phishing despite the fact that 84% of organizations fell victim to such attacks in 2021.
Why is there such a disconnect?
The state of the phishing fight
“Despite 83% of our respondents spending a portion of their security budget on dedicated anti-phishing measures, it’s clear from previous data in this report that many attacks are still getting through,” the report said.
If you’re wondering what exactly businesses are doing, Egress said that 72% bought cyberinsurance, 64% retained legal counsel and 55% invested in forensic investigation services. Additionally, 98% of organizations said they conducted anti-phishing training during the past year, with 55% saying they did it more than once annually.
Insurance and training are where a break between ideas and reality begins to appear, the study suggests. In the case of insurance, which many consider to be a deterrent, is often the opposite. “Payouts to cybercriminals, particularly for ransomware demands, often fund further attacks and put organizations at greater future risk of repeat attacks,” the report said.
Egress said that cybercriminals will often seek out companies with cyber insurance, attack them and set the ransom just below the payout limit of their insurer, ensuring that they make money and incentivizing more businesses to opt to insure and ignore. “Some businesses believe the best idea is to pay and then they will at least be left alone in the future. Unfortunately, this is wishful thinking,” Egress said.
In terms of training, the report found that 45% of organizations replace their training supplier on a yearly basis, which Egress said suggests they’re looking for more effective training, or that they feel existing training isn’t working.
Jack Chapman, VP of threat intelligence at Egress, said that it isn’t very surprising that attacks continue to be successful despite training. “The truth is cybersecurity training is limited in its effectiveness. It’s a lot to expect people to be constantly vigilant to the threat of phishing,” Chapman said.
How to bridge the effectiveness gap
Training doesn’t work, insurance incentivizes cybercriminals, attack success rates are rising and boards don’t seem to care. It’s all leading to a serious gap between the serious threat posed by phishing and ransomware, and the attitude and budgetary responses IT leaders get.
Chapman said that boards may have any number of reasons for ignoring the threat of phishing and ransomware. Some, he said, are burying their heads in the sand, while others are relying on insurance to take care of the issue. Still others believe they aren’t high profile enough, or large enough, or in a lucrative-enough industry to be a target, Chapman said.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
“There’s a lack of awareness about how ransomware gangs operate that feeds into that disconnect – people who sit on boards might not necessarily have an intimate knowledge of cybersecurity issues, so they may not understand the severity and scale of the issue,” Chapman said.
Closing that disconnect is going to be a key priority for IT leaders in 2022, Chapman said. He says that IT and security leadership know that their boards aren’t taking ransomware seriously. Unfortunately for them, it’s their responsibility to get through to their board members.
“It’s about making it feel ‘real’ to people who might not necessarily be fully aware of the severity of the problem and the likelihood of an attack. Carry out roleplays to help them to understand the potential damage caused by ransomware to educate the board on the real-world impacts – and how it can’t necessarily be fixed with an insurance payout,” Chapman said.