Corporate reliance on email continues to rise, with 82 percent of companies reporting higher volumes of emails in 2022 compared to 79 percent in 2021. This has led to increased email-based threats in the form of phishing emails. Most IT experts who participated in the study, published this month, predict their organizations would face an email-based attack this year. “More email has led to more email-based threats, and three out of four (74%) SOES respondents say these have risen over the past 12 months. But while the increasing number of threats is a problem, their growing sophistication poses an even greater risk,” the report said. For the 2023 SOES report, research firm Vanson Bourne surveyed 1,700 cybersecurity professionals around the globe. The respondents represent companies with about 250 to 10,000 employees across the telecoms, technology, retail, healthcare, manufacturing, energy, financial services, and public sectors. The participants’ concerns primarily revolve around phishing, ransomware, and spoofing, which the report describes as “the terrible trio.” Three-fourths of participants said their organization had experienced increased email-based threats such as phishing, two-thirds were affected by ransomware attacks, while eight out of ten believe their organization is at risk due to careless employees, among other things. Employee carelessness or negligence is classified as an insider threat. “Multi-stage, multi-vector attacks have become the norm, with criminals using one entry point to open the door to others. In today’s networked business world, even small security shortcomings and mistakes can have a devastating domino effect,” the report said.
Phishing is a Greater Concern Than Ransomware
Out of the “terrible trio,” phishing was the most widespread. So, while ransomware has affected eight in ten organizations in various sectors like energy, healthcare, media, and entertainment, phishing is of the greatest concern. This is probably justified, as 90 percent of corporate data breaches stem from phishing attacks. Also, 71 percent of large organizations that employ over 10,000 people have reported significantly more phishing attempts. “There were an estimated 255 million phishing attempts in 2022, a 61% jump over the prior year. Worse yet, more than 70% of these emails were opened by the recipient,” the report said. Furthermore, “attacks that quickly spread from one infected employee to others are close to all-time highs.” Practices like poor password hygiene, misuse of personal emails, oversharing on social media, and general negligence contributed significantly to the spread of infections. Email spoofing is also a serious risk, the report said. “Nearly all SOES respondents (91%) were aware of attempts to misappropriate their email domain,” while spoofing was more visible among public institutions and government agencies. Nearly nine out of ten respondents said their companies wish to use “Domain-based Message Authentication, Reporting and Conformance (DMARC) in the next 12 months to thwart email spoofing,” while less than one-third are using it, the report noted.
Concerns About Collaboration Tools
The 2023 SOES report raised concerns about essential business messaging and collaboration tools that are now commonplace in modern remote and hybrid work environments. These include Google Workspace, Slack, Microsoft 365, and others. “[These tools] provide a new threat surface for cybercriminals to infiltrate. And this, in turn, creates even more risk for CISOs and their teams to manage,” the report said. Furthermore, 72 percent of all respondents said it is highly likely, or inevitable, that a “collaboration-tool-based attack” will harm their organization in 2023. As such, 94 percent of the respondents said their organizations need to increase their security budgets to account for security risks associated with MS 365 and Google Workspace applications.
Skepticism Over Cyber Insurance Policies
Cyber insurance is a subject that “sharply divided” the respondents, with 50 percent skeptical about it and 48 percent for it. This differs by industry. Those more skeptical about cyber insurance were in the construction, business services, and energy sector, while those in the IT and telecom, media and entertainment, and healthcare industries were for it. The survey also revealed that large organizations are less concerned about cyber insurance. Meanwhile, the report said rising concern over cyber awareness is yet to translate into increased cybersecurity budgets. “While SOES respondents agree cybersecurity is getting more respect than previously, this doesn’t always translate into dollars,” the report said, adding that two-thirds of respondents said cybersecurity budgets at their organization have not changed since last year and are less than they should be. The good news is that almost all respondents said their organizations have already deployed or are deploying “systems to monitor and protect against email-borne attacks.” Mid-sized organizations (250 to 500 employees) are also seeing a rise in the size of their cybersecurity teams.
Boards are Taking Cyber Risk Awareness Seriously
Organizations are now discussing cyber-risk at the board room meeting table, the report said. “Fundamental business decisions — such as mergers and acquisition, third-party vendor contracts, right-sizing, and supply chain partnerships — are now being shaped around levels of cyber risk,” the report revealed. To combat cyber risks, 92 percent of organizations are now benefitting from AI and machine learning capabilities such as accurate threat detection, threat blocking, and faster crisis response times. “Most SEOS participants (81%) agree that AI systems that provide real-time, contextual warnings to email and collaboration users would be a huge boon,” the report added. To boost cyber awareness at the workplace, C-suite executives and company board members are now implementing educational practices such as interactive training videos, which are highly effective. Also, 85 percent of respondents said they receive training at their workplace at least once a quarter, and that frequency is steadily rising. The 2022 Allianz Risk Barometer said cyber-risks had overtaken all other risks to global security, even natural disasters. Cybersecurity specialists at Mandiant echoed these sentiments in their 2023 forecast, adding that cybercriminals will look to learn from the security community to conduct nefarious activities in 2023. Phishing emails with fraudulent links and infected attachments continue to plague all industries and remain a prime infiltration vector. If you run a small business, check out our business cybersecurity tips for ideas on how to strengthen your cyber-resilience.
