Phishing is expected to continue its advance, exploiting emergent UK and global conditions. What if we used positive defences, writes Alex Greenland MBCS, co-founder and CEO of UK cyber security firm Epi Technologies.
Phishing dominated the cyber threat landscape in 2022, continuing its yearly rise. This year, we will likely see further fronts exposed with the backdrop of significant UK and global factors. Considering that the world economy is in recession, inflationary pressures, the costs of living and business, and government support packages - targeted campaigns will cut through and defraud many households and businesses. Phishing is expected to entrench its position as the number one cyber attack.
The statistics of security
The UK Government Cyber Security Breaches Survey for 2022, found that 31% of businesses and 26% of charities identified a cyber attack at least once every week.
In terms of the attack type, 83% of businesses reported that phishing was the cause, consistent with the previous year, and an increase from pre–pandemic levels of 80% in 2019. With more organisations reporting attacks each year, phishing is on the rise. The dominance of phishing is not a result of organisations failing to use defences, because most do — 79% of UK businesses use existing anti–malware software and firewalls.
The aftershocks of a breach are significant — one in three firms lost customers after a breach, as reported by IBM and Ponemon in their Cost of a Data Breach report in 2021. In their 2022 report, they found 60% of company breaches led to increased prices passed on to customers. IBM also found phishing causes the costliest breaches, at an average of $4.9 million.
With these sobering statistics, what can we conclude? Organisations are not putting in place the right defences and are spending their time in remediation, training and re–training. The defences used today are not making enough of an impact.
Many companies are strengthening their systems with multi–factor authentication, password policies, access control, email security and firewalls, but the statistics don’t change.
So, how do we change the statistics? Possibly by thinking more positively – as an industry we’ve spent decades thinking negatively. We’ve been chasing threats and reacting to attacks. How can this approach keep up with threats at the internet scale?
We have potentially reached saturation point on current technology. We have firewalls, appliances, intrusion detection systems and heuristics – all about spotting the bad. Systems can’t keep pace and targeted campaigns get through and reach the individual, the most susceptible player.
Be part of something bigger, join BCS, The Chartered Institute for IT.
Fear and negativity aren’t just the backbone of cyber security systems and marketing, they are at the heart of personal threat decisions. People are trained to be frightened and are bombarded with competing advice on avoiding mistakes. It may seem easier to describe attack examples than explain trust, but we cannot inform people of every campaign as they appear. We need to give positive and influential advice, like 'this is what good looks like'.
We need technology that considers human fallibility. People should be able to focus on their work, not juggling security decisions. When systems determine website safety, it is ineffective to only use malicious signals, because threat vectors continuously evolve. With blocklists, the anti–phishing standard, you have to constantly add bad sites, and vast numbers of phishing are missed. With allowlists, you add the sites your users need. Consider also sandboxes, walled gardens and least privilege – they are positive because they restrict services to those known to be safe, and leave fewer trust decisions to users.
In an arms race between threat detection and threat actors, determined actors will win. We can’t rearm or retool. We should change the game we’re playing. Organisations might want to consider adopting a positive, proactive mindset that encompasses people and technology, building upon their layers of defence.
To find out more, visit epihq.com.