How can organisations survive the phishing pandemic?

Published in April, the Government’s Cyber Breaches Survey confirmed that phishing remains at the top of the list as the most popular attack vector being used by cybercriminals.79% of the businesses surveyed confirmed that their organisation had experienced a phishing attempt in the last 12 months.

While this statistic won’t come as a surprise to cybersecurity experts, there is concern amongst those working in the space that phishing has become ‘boring’ and may be falling down the cybersecurity agenda for businesses. This claim is supported by the same Government Cyber Breaches Survey, which found that only 19% of organisations surveyed had carried out any staff training against phishing in 2022.

Yet, further reports have found that human error plays a part in 82%-95% of successful breaches, and the frequency of attacks is on the rise. It’s a worrying sign that cybersecurity training, awareness and building workforce resilience appears to be less of a priority today.

So, what steps should organisations be taking to survive this phishing pandemic?‍

To answer this question firstly we need to look at the ‘what’ and the ‘why’.

Phishing just as the name suggests is a social engineering tactic used by cybercriminals to hook prospective targets using fraudulent emails and messages. These communications pretend they are from reputable companies and normally include a link, asking you to click on it, or to open an attachment, or more simply a general request for sensitive information e.g., bank account details or passwords. These emails and messages used to standout like a sore thumb in people’s inboxes, but nowadays they are a lot cleaner in formatting and could easily be confused as a sales deck from a third party or an invoice to be paid from a conference that the team attended months ago.

As to ‘why’ phishing remains cybercriminals most prevalent form of attack. Ultimately, it comes down to the cost, how effective a strategy it remains and the fact that the tactic continues to work.

Phishing is a relatively cost-effective way for cybercriminals to infiltrate organisations. By targeting trusted sources within a business, these people have direct access to a company’s digital estate, important data and customer information. Entry is the first and often the hardest hurdle for criminals to overcome. By gaining access through the front door, which phishing effectively grants you, there is no need for cybercriminals to develop costly and clever tools that can manoeuvre their way around security systems.

These types of attacks have the potential to be hugely damaging to organisations, with threat actors having the ability to lock businesses out of key systems, hold them to ransom, steal data, and cause no end of damage, both financially and reputationally with minimal effort.

The financial cost of a cyber-attack varies hugely, depending on the size of the organisation, what is affected, or taken, how long the disruption lasts and what the demands are, if any. There are numerous industry reports claiming this cost to be in the millions, which is true in many cases where enterprise level organisations are involved. If you look at the attack on Capita that took place earlier this year, reports are estimating that this could cost the outsourcing firm, which customers include Royal Mail and AXA, £20 million alone. However, the Cyber Breaches Survey estimates the average cost for medium and large businesses to be around £4,960 per attack. These figures don’t take into account the reputational damage caused though, which can take years to rebuild, ransom demands, and/or what impact a phishing attack can have on your workforce and their wellbeing and mental health.

Phishing methods are becoming more sophisticated. As mentioned, only a few years ago phishing emails where clunky, poorly formatted, and usually had little relevance to the target, making them easier to spot in a cluttered inbox.

Technology has moved on however, and we are now in the era of AI. While this is still in its infancy as a mass market product and its full potential is yet to be seen, these new applications have the potential to take phishing to the next level. Not just in sophistication but also in reducing the time it takes to write convincing copy and make approaches. There is also the potential for AI to make code more complex and harder to understand – this is known as malware obfuscation. By making code harder for systems and humans to detect, it could delay security team’s ability to react and also how long it takes to resolve an attack.

‍Building workforce resilience is key‍

Every organisation is different, it has different systems, data and information that needs to be protected. The type of digital infrastructure will hugely influence the scope of protection and where investment is needed, but ultimately, an effective and robust cybersecurity strategy should be built on technology, processes and people.

Each of these areas needs to work collaboratively with the other. There is little point in having the best technologies in place if your workforce doesn’t know what to look out for and/or what to do if they suspect the company is under attack.

Phishing focuses on manipulating human behaviour and prying on the fact that people do make mistakes – remember the statistic at the top of this article, ‘human error plays a part in 82%-95% of successful breaches’.

As such, an effective strategy for helping to reduce the chances of your organisation falling victim to a phishing attack must include cyber awareness training. Businesses need to be investing in building workforce resilience. This planning needs to focus on how to prevent attacks in the first place, but also what to do in the case a mistake is made.

Organisations need to be building a culture around cybersecurity, and educating the workforce that protection is a whole organisational concern and not just the concern of the IT team. Training doesn’t have to be expensive, but the more time and money invested in it should help. This training should start on day one of a staff members employment, it should be built into onboarding programmes, and refreshed frequently, as the methods cybercriminals are using are constantly changing, and not just seen as a tick box exercise.

Cybersecurity awareness training doesn’t need to be complicated either. It can be a conversation between those in charge of protecting your organisation and other members of staff, or a monthly or bi-monthly team presentation. But there are other options too, including crisis simulation. By dropping your team in to real life situations, these exercises can challenge your team to make critical decisions, and simulate all types of attacks, including ransomware outbreaks, insider threats, data breaches, and of course, phishing attacks. These exercises build awareness and muscle memory. Cybersecurity needs to be treated just like any other health and safety exercise and practiced over and over to be most effective.

So how do organisations survive the phishing pandemic? Businesses need to understand that phishing is here to stay and adopt a mentality of ‘when’ they’ll be a target, rather than ‘if’. To protect themselves and their workforce, investment needs to be in technology, processes and as importantly, people.

Laurence Bentley is Head of Cyber Security at multi-award-winning cybersecurity solutions provider Core to Cloud. Core to Cloud is one of the premier suppliers of cybersecurity solutions to the NHS, helping to protect over a quarter of the Trusts in England and Wales as well as working closely with National Services Scotland.

‍