Content, Content

How to Stop Phishing Attacks: Cybersecurity Research Findings

Nearly eight in 10 organizations cut their risk of phishing attacks through security awareness training activities, a new report specific to that type of malware infiltration found.

The figure stands out prominently considering that nearly 90 percent of global organizations surveyed in Proofpoint’s sixth annual State of the Phish report were targeted with business email compromise and spear phishing attacks in 2019. The report is yet another stark example (among many) of the effectiveness of employee security training to combat malware.

Along those lines, end users reported more than nine million suspicious emails in 2019, an increase of 67 percent over 2018, the data showed. Users need to be increasingly vigilant in order to identify sophisticated phishing lures, and reporting mechanisms allow employees to alert security teams to potentially dangerous messages that evade perimeter defenses, Proofpoint said.

Amid that reality, thousands of MSPs and MSSPs have extended their cybersecurity services to include automated security awareness training tools and progress report services, according to MSSP Alert's ongoing market coverage.

Here are three additional take-aways from the report:

  • 55 percent of surveyed organizations dealt with at least one successful phishing attack in 2019.
  • 88 percent of organizations worldwide reported spear-phishing attacks, 86 percent reported BEC attacks, 86 percent reported social media attacks, 84 percent reported SMS/text phishing (smishing), 83 percent reported voice phishing (vishing), and 81 percent reported malicious USB drops.
  • 65 percent of surveyed infosec professionals said their organization experienced a ransomware infection in 2019; 33 percent opted to pay the ransom while 32 percent did not. Of those who negotiated with attackers, nine percent were hit with follow-up ransom demands, and 22 percent never got access to their data, even after paying a ransom.

Recognition of common cybersecurity terms is lacking among many users. In the global survey, working adults were asked to identify the definitions of the following cybersecurity terms:

  • Phishing (61 percent correct)
  • Ransomware (31 percent correct)
  • Smishing (30 percent correct)
  • Vishing (25 percent correct).

Proofpoint concluded that these less-than-stellar findings indicate a knowledge gap among some users and a potential language barrier for security teams attempting to educate employees about those threats. “Effective security awareness training must focus on the issues and behaviors that matter most to an organization’s mission,” said Joe Ferrara, senior vice president and general manager of security awareness training for Proofpoint. “We recommend taking a people-centric approach to cybersecurity by blending organization-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognize and report attacks.”

Proofpoint’s State of the Phish report examined global data from nearly 50 million simulated phishing attacks sent by Proofpoint customers over a one-year period, along with third-party survey responses from more than 600 information security professionals in the U.S., Australia, France, Germany, Japan, Spain, and the UK. The report also analyzes the fundamental cybersecurity knowledge of more than 3,500 working adults who were surveyed across those same seven countries.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.