Editorial

More firms paying ransoms following cyberattacks

Plus, 27 percent of UK firms would sack employees who repeatedly fell for real or simulated phishing attacks – despite a lack of security training for working from home

Posted 9 February 2021 by

There has been a sharp increase in the number of organisations paying cybercriminals in cases of ransomware infections. Forty-four percent of UK infosec survey respondents said their organisation had experienced a ransomware attack in 2020 and paid the ransom, compared to the global average of 34 percent, according to Proofpoint’s new ‘State of the Phish’ report.

For those who paid, 59 percent of UK respondents said their organisation regained access to data or systems after first payment. However, 39 percent were hit with additional ransom demands that they agreed to pay, eventually regaining access to data.

The survey also indicates a lack of awareness of ransomware with 67 percent of working adults not knowing what ransomware is. Specifically, 36 percent incorrectly defined the term, and 31 percent said they ‘didn’t know.’

“Threat actors worldwide are continuing to target people with agile, relevant, and sophisticated communications—most notably through the email channel, which remains the top threat vector,” said Alan LeFort, SVP and general manager of Security Awareness Training for Proofpoint.

“Ensuring users understand how to spot and report attempted cyberattacks is undeniably business-critical, especially as users continue to work remotely– often in a less secured environment. While many organisations say they are delivering security awareness training to their employees, our data shows most are not doing enough.”

More than 75 percent of security pros said their organisations faced broad-based phishing attacks—both successful and unsuccessful—in 2020, and ransomware infections impacted 66 percent of third-party global survey respondents.

“Threat actors worldwide are continuing to target people with agile, relevant, and sophisticated communications—most notably through the email channel, which remains the top threat vector,” said Alan LeFort, SVP and general manager of Security Awareness Training for Proofpoint.

“Ensuring users understand how to spot and report attempted cyberattacks is undeniably business-critical, especially as users continue to work remotely– often in a less secured environment. While many organisations say they are delivering security awareness training to their employees, our data shows most are not doing enough.”

Fired for falling for phishing

The report also shows that UK firms are particularly intolerant of employees that make repeated cyber mistakes. Twenty-seven percent of companies would sack employees who repeatedly fell for real or simulated phishing attacks at work, above the global average.

Sixty percent of UK organisations use a consequence model, meaning there are punishments for users who repeatedly fall for real or simulated phishing attacks. The top consequences for repeat offenders were counselling from the infosec team (63 percent), impact to yearly performance reviews (48 percent) and disciplinary actions (like a written warning) enforced by HR (40 percent). Termination came in above global average at 27 percent, only behind the US at 30 percent.

Sixty-eight percent said a consequence model led to an improvement in employee awareness, the lowest vote of confidence across all respondents that this approach works, against a global average of 82 percent.

Proofpoint says its report emphasises the need for a “people-centric” approach to cybersecurity and awareness training that accounts for changing conditions, like those experienced by organisations throughout the pandemic.

However, survey findings reveal a lack of tailored training. For example, 92 percent of UK respondents said their workforce shifted to a work-from-home model last year, but only 36 percent said they trained users on safe remote working.

 “The findings related to remote working situations in the U.K. are eye-opening,” said Adenike Cosgrove, cybersecurity strategist, international, Proofpoint.

“Nearly all the UK infosec professionals we surveyed said they supported a new, remote working model for at least half of their organisation’s workers last year. And yet just over a third of these respondents said workers were trained about security practices related to working from home. At the same time, more than half of UK workers say they allow their friends and family to access work-issued devices to do things like shop online and play games. These gaps represent a significant risk and reinforce the need for security awareness training initiatives that are tailored to the remote workforce.”