Eighty-four percent of organizations were phishing victims last year, 59% of whom were hit with ransomware. Why, then, do less than a quarter of boards think ransomware is a top priority?
Data shows there has been a 15% increase in successful phishing attacks over the past 12 months, with the bulk of the attacks utilizing malicious links and attachments. Those methods aren’t new, but a 15% increase in successful attacks means that something isn’t working.
Despite the increase in successful phishing attempts, and despite the fact that more than half of those attacks lead to ransomware infections, only 23% of boards of directors consider ransomware a top priority. Additionally, 52% of organizations allocate less than one quarter of their security budget to dealing with phishing despite the fact that 84% of organizations fell victim to such attacks in 2021.
Why is there such a disconnect?
The state of the phishing fight
If you’re wondering what exactly businesses are doing, 72% bought cyber insurance, 64% retained legal counsel and 55% invested in forensic investigation services. Additionally, 98% of organizations said they conducted anti-phishing training during the past year, with 55% saying they did it more than once annually.
Insurance and training are where a break between ideas and reality begins to appear. In the case of insurance, which many consider to be a deterrent, is often the opposite. Payouts to cybercriminals, particularly for ransomware demands, often fund further attacks and put organizations at a greater future risk of repeat attacks.
Cybercriminals will often seek out companies with cyber insurance, attack them and set the ransom just below the payout limit of their insurer, ensuring that they make money and incentivizing more businesses to opt to insure and ignore. Some businesses believe the best idea is to pay and then they will at least be left alone in the future. Unfortunately, this is wishful thinking.
In terms of training, research has found that 45% of organizations replace their training supplier on a yearly basis, which suggests they’re looking for more effective training, or that they feel existing training isn’t working.
It isn’t very surprising that attacks continue to be successful despite training. The truth is cybersecurity training is limited in its effectiveness. It’s a lot to expect people to be constantly vigilant to the threat of phishing.
Bridging the gap
Training doesn’t work, insurance incentivizes cybercriminals, attack success rates are rising and boards don’t seem to care. It’s all leading to a serious gap between the serious threat posed by phishing and ransomware, and the attitude and budgetary responses IT leaders get.
Boards may have any number of reasons for ignoring the threat of phishing and ransomware. Some are burying their heads in the sand, while others are relying on insurance to take care of the issue. Still others believe they aren’t high profile enough, or large enough, or in a lucrative-enough industry to be a target.
There’s a lack of awareness about how ransomware gangs operate that feeds into that disconnect and people who sit on boards might not necessarily have an intimate knowledge of cybersecurity issues, so they may not understand the severity and scale of the issue.
Closing that disconnect is going to be a key priority for IT leaders in 2022. IT and security leadership know and feel that their boards aren’t taking ransomware seriously. Unfortunately for them, it’s their responsibility to get through to their board members.
It’s about making it feel ‘real’ to people who might not necessarily be fully aware of the severity of the problem and the likelihood of an attack. Carry out role plays to help them to understand the potential damage caused by ransomware to educate the board on the real world impacts and how it can’t necessarily be fixed with an insurance payout.