The frequency of phishing threats has risen considerably since the pandemic started, with companies experiencing an average of 1,185 attacks every month, according to a survey from GreatHorn.
Phishing attacks and the pandemic
Additionally, 38% reported that a coworker fell victim to an attack within the last year. As a result, 15% of organizations are now left spending anywhere from one to four days remediating malicious attacks during what is already a precarious and strenuous time for many.
The report asked a sample of 317 professionals ranging from executives to IT security practitioners across the greater cybersecurity industry, to provide insights based on their personal experiences throughout the pandemic.
The report broke down the realities of how companies have actually fared in the face of phishing attacks throughout the crisis, how time and money budgeted towards cybersecurity efforts has fluctuated during this time and asked participants to assess their levels of awareness and proficiency in identifying and avoiding phishing emails.
Results showed a sharp uptick in the frequency of attempted phishing attacks, a major increase in time allocated towards attack mitigation, removal and additional incident response and highlighted the risks plaguing organizations that don’t prioritize employee cybersecurity awareness.
Proliferating threats result in increased costs
Cybersecurity threats are on the rise – 53% of those surveyed said that they had witnessed an increase in phishing activity since the start of the COVID-19 pandemic. The survey revealed that, on average, organizations are remediating 1,185 phishing attacks every month.
Even employees who are confident in their phishing identification skills are more likely to slip up when faced with a massive amount of malicious emails, and the impact of a successful attack is felt both monetarily and through time consumed by threat remediation.
With 15% of organizations spending 1-4 days remediating attacks, the amount of total time lost due to this increase in attacks is hurting the bottom line.
The stakes are rising, and victim-blaming is all too common
The survey also found that a promising 64% of employees feel confident in their ability to identify and avoid a phishing email in real time. However, the consequences of an unfortunate misstep are felt on a personal level.
38% of respondents confirmed that a member of their organization had fallen victim to a phishing attack within the last year, and 39% feel that such an error reflects poorly on the victimized employee. This kind of outlook can foster anxiety and risk hurting employees’ confidence in their own abilities.
It also strongly reinforces the need for ongoing awareness training and providing employees with the tools and information they need to empower better in-the-moment decisions as they engage with their email.
Employees receive some awareness training, but not nearly enough
Furthermore, while 76% of organizations conduct cybersecurity awareness training, only 30% train employees quarterly – and 27% conduct training only once a year. This is likely to be inadequate, especially when employees both young and old are similarly vulnerable – 62% of respondents believe that employees of all ages and generations are of equal likelihood of falling victim to a phishing attack. Today’s threats are evolving so rapidly that growing up with technology is no longer considered an advantage for younger workers.
Cybercriminals are also less concerned with where employees stand on the organizational depth-chart. When asked to select who would most likely be targeted in phishing attacks, 56% said it’d be a mid-level manager, followed closely by entry-level staffer at 51% and the CEO or head of the company at 49% – dispelling the myth that only the C-suite is highly-targeted.
“With such a substantial portion of these attacks yielding success, the time lost on remediation can have a detrimental impact on productivity and profitability. Right now, it’s more important than ever that companies provide their employees with the knowledge and tools necessary to recognize and fend off phishing attacks.”