Cyber Mayhem: Firms Are Being Harmed By Phishing Attacks

• by Ray Schultz , Columnist, May 29, 2019

Here’s one detail you might not have known about email security: it doesn’t exist. 

On the contrary, 61% of all firms fear their businesses will be hurt by email-borne threats this year, according to "The State Of Email Security Report 2019," a study by Mimecast. 

And they’re right to worry. For example:

• 94% of firms suffered phishing attacks in the last 12 months, and 55% saw increases in phishing. 
• 71% had an attack where malicious activity was spread from one employee to others, a 64% increase over the prior year. 
• 67% saw more impersonation and business email compromise attacks, and 73% of the victims suffered a direct loss from such incursions.

That’s not all. Another 88% saw email-based spoofing of business partners or vendors, and 41% saw an increase in internal threats and data leaks.   

This has to erode the trust needed by email marketers to get their messages opened.   

Overall, business-disrupting ransomware attacks are up 26% over last year. And 49% of those polled suffered downtime for two to three days, and 31% for four to five days.

 “IT decision-makers are losing confidence in their organization’s ability to prevent the worst,” Mimecast states.

The most affected companies were in the finance, manufacturing, processional services and sci/tech industries, in that order, according to the report. Telecoms, agriculture, forestry and fishing and nonprofits were, happily for them, at the bottom of that scale.

Worse, this problem is global. The study reports that 62% of businesses in the UAE were hit by ransomware attacks, as were 61% in the U.S., 60% in Germany, 51% in Australia, 43% in the Netherlands and 39% in the UK.

Here are the harms they endured:

• Data loss — 39%
• Direct financial loss — 29%
• Loss of customers — 28%
• Some employees lost their jobs — 27%
• Loss of reputation — 20%
• Lost their position in our market — 11%
• Don’t know — 2%
• Their organization has suffered no losses due to an email-based impersonation attack in the last 12 months — 20%

The situation could be improved with better employee training. But it’s not clear that firms have acted on that idea.

Mimecast conducted a phishing simulation at a technology firm with over 6,500 employees. 

It found that 12% clicked on the suspicious simulated emails, whereas 76% didn’t. That 12% is frightening, since only one opened phishing email can create havoc. 

And it wasn’t as if they studied the email first. Among the 12% who clicked on the emails, 7% clicked in under one second, 3% clicked at 30 seconds and 2% took longer. 

The main lessons from this report? We quote Mimecast:

• Playing defense only won’t cut it; in 2019 and beyond, you’ve got to be prepared for the worst. 
• Security breeches don’t just slow you down, they have a direct impact on your business.
• If you’re part of a supply chain, you’re a significant target.
• Awareness training needs serious attention, improvement and investment. 

Vanson Bourne, a research firm commissioned by Mimecast, surveyed 1,025 IT decision makers worldwide.