According to a recent report by the the Anti-Phishing Working Group (APWG), phishing activity is at an all time high. APWG “observed more phishing attacks in the first quarter of 2016 than at any other time in history…the total number of unique phishing websites observed in Q1 2016 was a record 289,371, with 123,555 of those phishing sites detected in March 2016.” (Source: Phishing Activity Trends Report, 1st Quarter 2016, May 23, 2016).
At the same time, ransomware attacks have also spiked. “Kevin Haley, the director of product management at Symantec Security Response, said his group has seen an average of over 4,000 ransomware attacks per day since Jan. 1, a 300-percent increase over the approximately 1,000 attacks per day in 2015…” Ransomware attacks in the first quarter of 2016 are “coming at quadruple the rate seen last year…” according to figures from the group. (Source: fedscoop, “Ransomware attacks quadrupled in Q1 2016,” by By Greg Otto, April 29, 2016).
So are companies responding, training their people and prioritizing cybersecurity as one might hope? Apparently not, at least according to a newly published study by Experian Data Breach Resolution and Ponemon Institute.
The study, entitled “Managing Insider Risk Through Training & Culture,” found that 60% of companies surveyed believe that their employees are “not knowledgeable or have no knowledge of the company’s security risks…Additionally, the study showed a lack of concern by C-suite executives. Only 35% of respondents said that senior management sees it as a priority that employees are knowledgeable about how data security risks affect their organization.” (Source: info security magazine, “Orgs Turn Blind Eye to Risky Employee Behavior,” by Tara Seals, May 23, 2016).
According to Info Security Magazine which reported on the study, other findings of concern revealed that:
- less than half (46%) of surveyed companies make training mandatory for all employees;
- 60% of companies do not require employees to retake security training courses following a data breach, “missing a key opportunity to emphasize security best practices;”
- about 43% of companies provide only one basic course for all employees;
- phishing and social engineering attacks are covered in less than half of basic programs; mobile device security in 38%; and using cloud services safely is covered in less than a third (29%);
- 67% provide no incentives to employees for being proactive in protecting sensitive information or reporting potential issues; and,
- only 29% mention security in performance reviews. (Source: Id.)
These findings are a real concern. They make clear that despite increasing cyberattacks, especially those like phishing and ransomware directed at employees, organizations are not taking the steps necessary to prepare those employees to defend themselves and their company. We can only expect employees to ‘play their part’ in cyberdefense if and when we train them and make them aware of the dangers. Successful, savvy business leaders will do that, and they will make cybersecurity a priority in the months and years to come.