How prepared are organizations to face email-based ransomware attacks?

Proofpoint released a report which provides an in-depth look at user phishing awareness, vulnerability, and resilience. The report reveals that attackers were more active in 2021 than 2020, with findings uncovering that 78% of organizations saw email-based ransomware attacks in 2021, while 77% faced business email compromise attacks (BEC) (18% YoY increase of BEC attacks from 2020), reflecting cybercriminals’ continued focus on compromising people, as opposed to gaining access to systems through technical vulnerabilities.

This year’s report examines responses from commissioned surveys of 600 information and IT security professionals and 3,500 workers in the U.S., Australia, France, Germany, Japan, Spain, and the UK. The report also analyzes data from nearly 100 million simulated phishing attacks sent by customers to their employees over a one-year period, along with more than 15 million emails reported via the user-activated PhishAlarm reporting button.

Attacks in 2021 also had a much wider impact than in 2020, with 83% of survey respondents revealing their organization experienced at least one successful email-based phishing attack, up from 57% in 2020. In line with this, 68% of organizations said they dealt with at least one ransomware infection stemming from a direct email payload, second-stage malware delivery, or other exploit. The year-over-year increase remains steady but representative of the challenges organizations faced as ransomware attacks surged in 2021.

“Where 2020 taught us about the need to be agile and responsive in the face of change, 2021 taught us about the need to better protect ourselves,” said Alan Lefort, SVP and GM of Security Awareness Training for Proofpoint.

“As email remains the favored attack method for cyber criminals, there is clear value in building a culture of security. In this evolving threat landscape and as work-from-anywhere becomes commonplace, it is critical that organizations empower their people and support their efforts to learn and apply new cyber skills, both at work and at home.”

The shift to hybrid working accelerated in 2021, with 81% of organizations saying that more than half of their employees are working remotely (either part or full time) due to the pandemic.

The challenges of remote working

However, only 37% educate workers about best practices for remote working, illustrating a worrying gap in security best practice knowledge for the “new normal” of working. For example, 97% of workers said they have a home Wi-Fi network, but only 60% said their network is password-protected, a major lapse in basic security hygiene.

“Infosec and IT survey participants experienced an increase in targeted attacks in 2021 compared to 2020, yet our analysis showed the recognition of key security terminology such as phishing, malware, smishing, and vishing dropped significantly,” said Lefort.

“The awareness gaps and lax security behaviors demonstrated by workers creates substantial risk for organizations and their bottom line. Our 2022 report offers actionable advice aimed at enhancing user awareness, reducing risk, and protecting people.”

Additional findings

Almost 60% of those infected with ransomware paid a ransom. 32% paid additional ransom sums to regain access to data and systems. 54% regained access to data/systems after the first payment, while 4% never got access to data/systems, even after paying. 10% refused to pay additional ransom demand(s) and walked away without data.

Many workers exhibit risky behaviors and fail to follow cybersecurity best practices. 42% said they took a dangerous action (clicked a malicious link, downloaded malware, or exposed their personal data or login credentials) in 2021. And 56% of people who have access to an employer-issued device (laptop, smartphone, tablet, etc.) allowed friends and family to use those devices to do things like play games, stream media, and shop online.

Awareness of key security terminology dropped (in some cases, significantly) year-over-year. Only 53% of respondents were able to correctly identify the definition of the term ‘phishing’ in a multiple-choice array. This was down from last year’s 63% mark, a 16% year-over-year decrease.

Only 63% recognized the definition of malware (down from 65% in 2020), just 23% identified the definition of smishing (down from 31% in 2020), and only 24% recognized the definition of vishing (down from 30% in 2020). Ransomware was the only term that saw a global increase in recognition, with correct answers rising from 33% in 2020 to 36% in 2021.

Employees were able to better report suspicious emails they receive in their inboxes. Over our one-year measurement period, users alerted their security teams to more than 350,000 credential phishing emails, nearly 40,000 emails with malware payloads, and more than 20,000 malicious spam emails.

U.S.-specific findings

The following U.S.-specific findings show how much cybersecurity practices and behaviors can vary by region:

• More than 80% of workers in the U.S. use one or more of their own devices for work, the highest of any region surveyed. 64% said they use personal phones/smartphones and 30% use personal tablets. In comparison, 73% of global respondents said they use employer-issued devices for work.
• 55% of U.S. workers surveyed admitted to taking a risky action in 2021. 26% clicked an email link that led to a suspicious website, and 17% accidentally compromised their credentials.
• 52% of U.S. workers dealt with a cyberattack or fraud in 2021. 19% were victims of identity theft, and 17% paid a ransom to regain access to a personal device or data.
• 84% of U.S. organizations said security awareness training has reduced phishing failure rates, the highest of any country surveyed.
• At 67%, U.S. organizations are most likely to use phishing tests that mimic trending threats, compared to the 53% global average.