Ivanti has released a survey that suggests that most businesses are failing in the battle against phishing. The survey reflects the responses of more than 1,000 IT professionals from the US, the UK, France, Germany, Australia, and Japan, the vast majority (80 percent) of whom reported that the volume of phishing attempts has increased during the pandemic.
The problem is that a distressing number of those attacks have proven to be effective. Seventy-four percent of the respondents confirmed that their organization had been the victim of a phishing attack in the past year, while a full 40 percent confirmed that one had happened in the past month.
The respondents attributed those success rates to a number of different factors, including a lack of education and the understaffing of IT departments. More than half (52 percent) of the respondents worked for an organization that had had staff shortages, and 46 percent blamed a successful phishing attack on that lack of personnel. In that regard, they explained that it takes more time to resolve an incident when there aren’t enough people to do the work, and that in turn prevents the organization from dealing with security issues in a timely fashion.
The IT professionals also expressed frustration with the rest of the workforce, noting that many employees do not complete the cybersecurity training available through their company. Thirty-four percent of the respondents identified poor education as a primary factor in successful attacks.
However, it is worth noting that IT professionals are not blameless on that front. Phishers are now targeting IT departments directly (73 percent had experienced such an attack), and those attacks had a 47 percent success rate even though the IT team should know better. The effectiveness of those attacks speaks to the increased sophistication of phishing strategies, with 85 percent reporting that phishing has gotten more complex.
Ivanti went on to note that phishing attacks were more likely to succeed when targeting mobile devices rather than corporate servers. That trend is in keeping with the rise of the remote work environment, and indicates that businesses need to do a much better job of securing endpoints outside of the office.
“Anyone, regardless of experience or cybersecurity savvy, is susceptible to a phishing attack,” said Ivanti Product Management Senior Director Chris Goettl. “Organizations need to implement a zero trust security strategy that incorporates unified endpoint management with on-device threat detection and anti-phishing capabilities. Organizations should also consider getting rid of passwords by leveraging mobile device authentication with biometric-based access to eliminate the primary point of compromise in phishing attacks.”
The Ivanti report echoes a separate report from Trend Micro that similarly found that most business are unprepared to deal with the influx of phishing and ransomware threats. Ivanti itself has previously reported that many remote workers are still engaging in risky password practices, and that businesses are not doing enough to enforce stricter standards.