Why Organizations Need to Take Phishing Threats Against Their Employees Seriously

There are still some businesses out there who believe that phishing attacks on their employees don’t impact their organization. That it’s just a one-to-one attack on an employee that involves personal identity theft and their organization is shielded from any harm.

Think again!

According to 2019 stats compiled by Retruster:

  • The average financial cost of a data breach is $3.86 million (IBM)
  • Phishing accounts for 90 percent of data breaches
  • 15 percent of people successfully phished will be targeted at least one more time within the year
  • BEC scams accounted for over $12 billion in losses (FBI)
  • Phishing attempts have grown 65 percent in the last year
  • Around 1.5 million new phishing sites are created each month (Webroot)
  • 76 percent of businesses reported being a victim of a phishing attack in the last year
  • 30 percent of phishing messages get opened by targeted users (Verizon)
  • Organizations spend $13 million dealing with the consequences of sophisticated attacks

If these figures don’t speak for themselves, then consider the response costs organizations face when dealing with phishing attacks on their employees. According to a survey of more than 300 businesses in the US and UK by Agari, responding to a phishing attack takes an average of approximately 6 hours, and even false-positive attacks take about 4 hours. Multiple responses can add up to a significant amount of time, money, and resources spent by organizations on phishing triage. According to Gartner, “Many organizations’ security operations teams report that their work around investigating suspected phishing emails is heavily repetitive and requires many meticulous steps, such as checking multiple blacklists and different IT systems within the company.”

As we’ve blogged about, the human element is inherently the weak link in the security chain and the sophistication of today’s threat actors leaves employees and organizations at risk. A CIO Dive article shared some Egress survey data of interest:

  • 79 percent of IT leaders believe employees have unintentionally invited security risk at their organizations in the past 12 months
  • 60 percent of data breaches are a result of employees rushing or making mistakes

During a typical day, employees can browse numerous websites and go through hundreds of emails. Even the most well-trained and observant employee can get distracted and be directed to an unsecure website, click on a phishing link or download a file with malware. Cybercriminals use a variety of phishing techniques including pop-ups, ads, search engines, social media, rogue browser extensions, chat apps and web “freeware” to attack their targets.

No matter how much education companies put into making their employees phishing savvy, or how secure a company’s IT security platform is, hackers only need to obtain a single employee’s credentials to gain access to a corporate network. Companies are only as secure as that weakest link in their user base, and organizations can no longer extensively rely upon end users to protect their networks.

Bottom line for organizations… employees are the gateway to their network, data, and assets that are targeted by threat actors today. Employee training and traditional security protocols are important, but they alone are no match for today’s sophisticated phishing threats. What’s needed is real-time, automated, zero-hour phishing threat prevention.

SlashNext Real-Time Phishing Threat Intelligence is the industry’s broadest, most up-to-the-minute intelligence on phishing threats. It is powered by SEERTM (Session Emulation and Environment Reconnaissance) threat detection technology using virtual browsers in a purpose-built cloud to dynamically inspect sites with advanced computer vision, OCR, NLP, and active site behavioral analysis. Machine learning enables definitive verdicts—malicious or benign—with exceptional accuracy and near-zero false positives. Unlike other anti-phishing technologies and threat feeds, SlashNext covers all six major categories of phishing and social engineering threats–credential stealing, scareware, rogue software, phishing exploits, social engineering scams, and phishing callbacks (C2s). Most importantly, it identifies live zero-hour threats in real-time and allows organizations to respond in real-time with automated blocking through their firewall.

Organizations need to take phishing threats against their employees seriously. See what threats you’re missing. Contact us for a demo or try SlashNext Real-Time Phishing Threat Intelligence free for 15 days.

*** This is a Security Bloggers Network syndicated blog from SlashNext authored by Lisa O'Reilly. Read the original post at: