Inconsistency Exists Between Increase in Threat Surface and Employee Preparedness
BOSTON, July 27, 2021 — A new survey of enterprise IT security leaders showed an overwhelming majority–almost 80 percent–believe remote workers are at more risk for phishing attacks now because they’re isolated from their organisations’ security teams. Despite the significant threat increase, more than 59 percent of respondents felt solutions such as video training (27%), email reminders (20%), and VPNs (12%), were sufficient solutions by themselves to keep organisations safe from what those surveyed said were the biggest security breach fears: damage to brand and reputation, and legal jeopardy.
A question about threat literacy among remote workers found that 81 percent of IT leaders felt their employees understood that 90 percent or more ransomware attacks originated through email phishing. Eighteen percent felt their employees didn’t know that, or didn’t know if employees understood the threats caused by email phishing attacks.
Steps IT leaders took over the past 12 months to mitigate the growing danger to remote workers included video training courses on how not to fall victim to a phishing attack (27 percent); the deployment of anti-phishing software (26 percent); regular email communications to workers to be vigilant (20 percent); one-on-one (by video conference) training with new employees (13 percent); deploying a VPN (12 percent). Two percent of those polled felt employees already knew enough not to open suspicious-looking emails, or links they didn’t trust.
Asked if these counter measures were sufficient to protect remote employees from phishing attacks, the overwhelming majority of IT pros—79 percent – felt they were. Just 15 percent said no. Asked if employees understood different types of phishing attacks, such as business email compromise or domain spoofing, almost 50 percent of respondents said “very well,” 39 percent said “quite well,” and 10 percent said not quite well. “Not at all” and “I don’t know” scored 1.25 percent and 1.5 percent, respectively.
Only 52 percent of those surveyed felt their organisation understood which areas of the business were the most vulnerable to attacks. The rest of the respondents answered “quite well” to “I don’t know,” leaving a large gap in understanding which employees from what departments within an organisation were the most at risk.
Despite the confidence in their organisations’ preparedness against the increase in sophisticated phishing threats to remote workers, 76 percent of IT leaders admitted their organisation would pay, or was likely to pay a ransom if their entire system was locked down through malware. Twelve percent said their company was unlikely to pay, 7.25 percent said their employers would not pay, and 5 percent didn’t know.
“This survey has uncovered a complex situation wherein IT leaders understand threats to their remote workers have grown significantly worse, yet they feel the organisation is protected well enough against them through weak solutions or in some cases, just email reminders,” said Tony Pepper, CEO of Egress. “This shows that there is a lot of trust given to employees, who are suddenly shouldering the burden of not falling victim to what has become an exponentially worse threat environment.”
Other data collected in the survey includes:
Why do you think employees are more vulnerable to targeted phishing attacks as remote workers (in order of importance):
- More removed from the org’s security team
- Distracting work environment
- Working from multiple or personal devices
- Pressure to appear more productive
- Phishing attacks have become more sophisticated
What level(s) or your organisation is/are responsible for protecting IT systems and infrastructure:
- CISO – 367 respondents
- CTO – 152 respondents
- IT Department – 605 respondents
- Other – 21 respondents
The poll was conducted in July, 2021 and surveyed 800 technical staff and executives from companies across the U.S. and U.K. Company sizes ranged from 250 to more than 5000 employees across healthcare, legal, finance, government, and the information services industries. All respondents either had ‘responsibility for IT systems security’ within their organisations, or were part of a team with responsibility for IT systems security. Seventy percent of the companies are privately held, 30 percent are publicly traded.
Our mission is to eliminate the most complex cybersecurity challenge every organisation faces: insider risk. We understand that people get hacked, make mistakes, and break the rules. To prevent these human-activated breaches, we have built the only Human Layer Security platform that defends against inbound and outbound threats. Using patented contextual machine learning we detect and prevent abnormal human behaviour such as misdirected emails, data exfiltration and targeted spear-phishing attacks.
Used by the world’s biggest brands, Egress is private equity backed and has offices in London, New York and Boston.