Proofpoint has issued its eighth annual State of the Phish study, which examines user phishing knowledge, vulnerability, and resilience.
According to the report, attackers were more active in 2021 than in 2020, with more than three-quarters (78%) of firms experiencing email-based ransomware assaults in 2021, while 77% experienced corporate email compromise attacks.
The report demonstrates cybercriminals’ continued focus on compromising people rather than gaining access to systems via technical flaws.
Attacks in 2021 had a far greater effect than in 2020, with 83% reporting at least one successful email-based phishing attempt, up from 57% in 2020. In keeping with this, more than two-thirds of firms (68 %) reported dealing with at least one ransomware attack caused via a direct email payload, second-stage malware distribution, or other exploits.
The year-over-year growth is consistent, but it reflects the issues that companies encountered as ransomware assaults increased in 2021.
“Where 2020 taught us about the need to be agile and responsive in the face of change, 2021 taught us about the need to better protect ourselves,” said Alan Lefort, SVP and GM of Security Awareness Training for Proofpoint.
“As email remains the favored attack method for cyber criminals, there is clear value in building a culture of security. In this evolving threat landscape and as work-from-anywhere becomes commonplace, it is critical that organizations empower their people and support their efforts to learn and apply new cyber skills, both at work and at home,” Lefort added,
The shift to hybrid working accelerated in 2021, with 81% of organizations saying that more than half of their employees are working remotely (either part or full time) due to the pandemic. However, only 37% educate workers about best practices for remote working, illustrating a worrying gap in security best practice knowledge for the “new normal” of working.
For example, 97% of workers said they have a home Wi-Fi network, but only 60% said their network is password-protected, a major lapse in basic security hygiene.
“As partial work from home continues for many organizations across the Middle East, it is important for people to understand how to spot and report attempted cyberattacks. The way to do this is through effective security awareness training which focuses on the issues and behaviors that matter most to an organization’s mission,” said Emile Abou Saleh, Regional Director, Middle East and Africa for Proofpoint. “We recommend taking a people-centric approach to cybersecurity by blending organization-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognize and report attacks.”
“Infosec and IT survey participants experienced an increase in targeted attacks in 2021 compared to 2020, yet our analysis showed the recognition of key security terminologies such as phishing, malware, smishing, and vishing dropped significantly,” said Lefort. “The awareness gaps and lax security behaviors demonstrated by workers creates substantial risk for organizations and their bottom line. Our 2022 report offers actionable advice aimed at enhancing user awareness, reducing risk, and protecting people.”
Additional State of the Phish report global findings include the following key takeaways:
To download the State of the Phish 2022 report, and see a full list of global and regional comparisons, please visit: https://www.proofpoint.com/us/resources/threat-reports/state-of-phish.