Phishing consists in one of the most essential ways to steal information online and therefore, a top priority for cybersecurity training in organizations. However, training provided to professionals who have access to the company’s devices and data has proven to be less effective than expected.
While phishing consists in basic psychology to lead the victim to provide sensitive information and download malware, Internet users within organizations continue to fall into the trap.
Cybersecurity firm Sophos carried out a survey with a highly surprising conclusion: 45 percent of UK organizations were compromised by phishing attacks between 2016 and 2018. Almost half of the organizations that were asked to join the research claimed to be victims of phishing attacks through their employers, who were lured by fake messages coming from a wide array of sources.
Understanding Phishing Attacks
Phishing attacks may be simple and straightforward; however, they represent the foundation of cybercrimes as they lure users to download malicious software and provide sensitive information willingly.
These attacks are used in the front line of large-scale cybercrime campaigns as they may grant hackers full access to remote hardware and networks to be used later on. That’s why some attacks, when successful, don’t manifest any visible consequences to victims as malicious access to devices remain stealth.
The Main Target
An interesting fact that Sophos’ research provided is that there is a type of organization that is more likely to be attacked by cybercriminals when using phishing tactics. 54 percent of organizations with between 500 and 1,000 employees have been victims of this type of attacks in the past two years.
This business profile has been proven to be more susceptible to attacks. Ironically, it’s the same profile that makes a decent effort in terms of cybersecurity training for employees. Of course, big companies as multinational enterprises will always be more willing to invest a massive amount of resources in order to protect their digital assets and systems.
When it comes to organizations with 250 to 500 staff, the percentage goes down to 39. The same thing happens with businesses with less than 250 employees, which have a share of 14 percent. The logic is simple: while small companies are exponentially easier to successfully attack by cybercriminals, the big organizations are the ones with a major ROI for hackers. These are more likely to have valuable information available to steal and sell.
Feedback as Culture
One of the biggest problems according to the report made by Sophos is that there is no feedback or reporting when an employer commits a mistake. In the end, phishing attacks are all about luring the victim, deceiving him or her to click on a link. Phishing victims often feel shamed for falling into the trap and they avoid reporting the situation.
When a phishing attack has been successful and the victim has been able to realize it, the top priority is to report the attack and take all the safety measures to counter it. Let’s remember that many of these attacks don’t have immediate effects as they are carried out to have an available connection with the corporate server and devices in the future. That’s why feedback can become a real-life savior, preventing the potential, more serious consequences to materialize.