Proofpoint today released its seventh annual State of the Phish report, which explores enterprise phishing experiences and provides an in-depth look at user awareness, vulnerability, and resilience. More than 75% of surveyed infosec professionals said their organizations faced broad-based phishing attacks—both successful and unsuccessful—in 2020, and ransomware infections impacted 66% of third-party global survey respondents.
This year’s State of the Phish report examines global third-party survey responses from more than 600 information security professionals in the U.S., Australia, France, Germany, Japan, Spain, and the UK, and highlights third-party survey findings of 3,500 working adults within those same seven countries. The report also analyzes data from more than 60 million simulated phishing attacks sent by Proofpoint customers to their employees over a one-year period, along with approximately 15 million emails reported via the user-activated PhishAlarm reporting button.
“Threat actors worldwide are continuing to target people with agile, relevant and sophisticated attacks and email remains the top threat vector. As work from home continues for many organizations across the Middle East, it is important for people to understand how to spot and report attempted cyberattacks,” said Emile Abou Saleh, Regional Director, Middle East and Africa for Proofpoint. “At the end of the day, remote working can often mean that you are not protected by the same safeguards your office has in place”, he concluded.
Proofpoint’s State of the Phish report emphasizes the need for a people-centric approach to cybersecurity protections and awareness training that accounts for changing conditions, like those experienced by organizations throughout the pandemic. Survey findings reveal a lack of tailored training. For example, 82% of infosec survey respondents said their workforce shifted to working from home in 2020, yet only 30% trained users on safe remote working.
Proofpoint’s State of the Phish details actionable advice as well as a deep analysis of the phishing threat landscape to help reduce risk. Key global findings include:
• More organizations experienced successful phishing attacks in 2020 vs. 2019 (57% vs. 55%) according to the third-party survey. In addition, business email compromise (BEC) attacks continue to be a serious concern.
• Of the two-thirds of survey respondents who said their organization experienced a ransomware infection in 2020, more than half decided to pay the ransom in the hopes of quickly regaining access to data. Of those who paid, 60% regained access to data/systems after the first payment. However, nearly 40% were hit with additional ransom demands following an initial payment—a 320% year-over-year increase. Thirty-two percent reported that they subsequently agreed to pay the additional ransom demands—a 1,500% increase over 2019.
• Eighty percent of organizations surveyed indicated that security awareness training has reduced phishing susceptibility. But while 98% of infosec professionals surveyed said their organization has a security awareness training program, only 64% offer formal training sessions to users as part of cybersecurity training initiatives.
• Proofpoint customers’ overall average failure rate on phishing simulations was 11%, down from 12% in 2019. The overall average resilience factor of 1.2, indicating that, in general, these organizations’ users are more likely to report a suspicious email than to interact with it.
• Manufacturing organizations faced the highest average volume of real-world phishing attacks in 2020 according to Proofpoint Threat Research. Organizations in this industry were among the most active in testing their users’ response to phishing threats, achieving an overall failure rate of 11%.
• At the department level, purchasing teams were top performers, with a 7% average failure rate. Maintenance and facilities teams were the worst-performing departments analyzed, registering average failure rates of 15% and 17%, respectively.
Organizations are encouraged to proactively develop people-centric cybersecurity strategies that account not only for shared experiences across regions, industries, and departments, but also the threats that are unique to their missions, goals, and people.