News Feature | March 26, 2015

Study Shows Phishing Is Directly Related To 83% Of Security Concerns

Christine Kern

By Christine Kern, contributing writer

Phishing Risks

A majority of all security concerns are directly related to phishing risks, according to a recent study from KnowBe4 and Osterman Research, but nearly 80 percent of those polled also say they have seen no improvement in the ways they proactively approach phishing.  In fact, one-third see the problem actively worsening.

As cybercriminals up their game and engage in ever-increasingly sophisticated and stealthy attacks, the number of data breaches, phishing, and malware threats have skyrocketed.  Scott Koller, a lawyer at BakerHostetler who focuses on data security, data breach response and compliance issues, tells iHealthBeat that 2015 will see a spike in phishing and ransomware attacks. Phishing attempts use deceit to persuade users to provide confidential information such as user names and passwords or credit card numbers. "Phishing emails often provide the entry point," Koller says, explaining that the attackers are getting craftier in disguising their phishing emails. "They are much more sophisticated in terms of crafting them and targeting them to users and making them more difficult to detect."

According to the KnowBe4 study, five out of six of the most serious security-focused concerns of IT decision makers are directly related to phishing or the aftermath of a successful phishing attack.

And it’s not just phishing. Malware infiltration is intensifying as well —67 percent of networks surveyed report they had been successfully infiltrated by malware through email, while 63 percent report infiltration through web surfing. An additional 23 percent said they were infiltrated, but were unsure of the method of access.

KnowBe4 CEO Stu Sjouwerman explains, “With 122 billion emails being sent every hour, opportunities for phishing or spear-phishing abound. It is becoming easier than ever to gather personal information and use this to tailor a spear-phishing email to a CEO or finance executive and use it to pilfer millions of dollars just using email. Effective security awareness training can mitigate this risk.”

The study also finds:

  • Only 21 percent of organizations surveyed report their phishing problem has improved.
  • Only 22 percent experience positive results from training end users on detecting/neutralizing phishing threats.
  • Just 8 percent report using a human firewall approach to phish test and train users.
  • Just 14 percent report using phishing tests on employees.
  • About half (51 percent) either do nothing at all to train employees or utilize a yearly break room approach.
  • Just over one-quarter (26 percent) use short monthly training videos with employees.

Sjouwerman concludes, “The consequences of these growing cyber threats can be devastating. It can be the loss of millions of sensitive customer data records to the loss of intellectual property like trade secrets or marketing plans. Massive potential losses are the result of not preventing or effectively mitigating these threats.”