Phishing is still the most commonly used attack on organizations, survey says

There’s more hand-wringing around cybersecurity this year than last, according to 66% of organizations surveyed for IDG’s 2018 US State of Cybercrime report.

It’s not that the average number of security incidents is increasing for everybody: it’s actually down this year, to 107.2. Sounds good, unless you’re a big fish: survey respondents reported that the average number of hits on big enterprises is up to 195.9.

The survey found that the majority of cyberattacks – 75% – came from outsiders, while 25% were due to insiders.

Cybercrooks are the biggest cyberthreat, and they’ve also got the steepest price tags: 39% of survey respondents said that cybercrimes caused by outsiders were the most costly for their organizations.

These are the most common outsider attack vectors that lead to cybersecurity breaches:

  1. Phishing – 53%
  2. Malware – 50%
  3. Spyware – 45%

IDG conducts this survey annually, along with CSO magazine, the CERT Division of Software Engineering Institute at Carnegie Mellon University, the US Secret Service, and KnowBe4 – a security awareness training and simulated phishing platform that helps organizations deal with social engineering attacks.

Insider threats are still a serious problem, of course. However, the most common problem employee isn’t one who purposefully screws the company with criminal intent. Like, say, the employee who allegedly stole government spyware… and hid it under his bed.

No, the survey respondents said, the biggest problem when it comes to insider threats is the employees who fall for phishing or other attacker scams. These are the most common insider threats reported in the survey:

  1. Innocent employees getting duped – 42%
  2. Careless employees blending work and personal usage – 26%

Crooks are growing more and more cunning when it comes to Business Email Compromise (BEC): exquisitely targeted attacks that trick employees into thinking they’re dealing with suppliers, partners, or their own bosses. Penguin Random House and other publishers were recent victims: last week, it emerged that crooks are pretending to be literary agents and foreign-rights staff in their efforts to get at valuable manuscripts.

Employees falling for this type of attack have led to these serious breaches in the past year, survey respondents reported:

  1. Compromised customer records – 61%
  2. Loss of trade secrets or intellectual property – 56%
  3. Theft of personally identifiable information (PII) – 49%

Randall Trzeciak, Director of the CERT National Insider Threat Center in the Software Engineering Institute at Carnegie Mellon University, said in a press release about the survey that the findings underscore the need for security training:

Many of these breaches might have been avoided if employees were properly educated. In some instances, the naivety of employees has led to phishing and attacker scams, resulting in compromised data and monetary losses.

Most employees are receiving security training, but not more than once a year. Here’s how it breaks down for training frequency:

  1. Once a year – 29%
  2. Twice a year – 15%
  3. Quarterly – 15%
  4. Monthly – 7%

C-level execs are the ones who most need the training to protect themselves from attacks, according to 52% of respondents.

The survey’s conclusion: train up them there employees, particularly the head honchos, and train them often.