In 2022, phishing continues to rise, attacking people and organisations of all sizes, writes Alex Greenland MBCS, co-founder and CEO of Epi Technologies.
Despite today’s defensive tools and training, targeted campaigns get through and persuade people to give away sensitive information. Once credentials are obtained by malicious actors, they can access internal systems, view confidential data and extract funds, all while impersonating the target. By considerable margin, phishing is the number one cyber attack.
The statistics today
|1 in 3||83%||79%|
|Businesses attacked at least once a week||Firms report phishing most common attack||Companies use existing cyber defences|
The UK Government recently released its report of their annual Cyber Security Breaches Survey, last updated in July 2022. It found that 31% of businesses and 26% of charities identified a cyber attack at least once every week. This is an increase from 27% of businesses and 23% of charities in the previous year. In terms of the attack type, 83% of businesses reported that phishing was the cause, consistent with the previous year, and an increase from pre-pandemic levels of 80% in 2019. With more organisations reporting attacks each year, phishing is on the rise. The dominance of phishing is not a result of organisations failing to use defences, as most do — 79% of UK businesses use existing anti-malware software and firewalls, comparable with previous years.
219 days to identify that phishing has occurred, with an additional 76 days to contain the attack.
The aftershocks of a breach are significant — one in three firms lost customers after a breach, as reported by IBM and Ponemon in their Cost of a Data Breach report in 2021. In their 2022 report, they found 60% of company breaches led to increased prices passed on to customers. IBM also found phishing causes the costliest breaches, at an average of $4.9 million, and it takes an average of 219 days to identify that phishing has occurred, with an additional 76 days to contain the attack. Cisco’s cyber security threat trends report in 2021 found that phishing was responsible for 90% of breaches.
The world wild web
With these sobering statistics, what can we conclude? Organisations are not putting in place the right defences and are spending their time in remediation, training and re-training their employees. The defences used today are not making enough of an impact.
Be part of something bigger, join the Chartered Institute for IT.
Many companies are strengthening their systems with multi-factor authentication, password policies, access control, email security and firewalls, but the statistics don’t change.
In 2005, viruses were the most common form of cyber attack affecting US business. In the last decade or so, phishing became the most dominant form of cyber attack. As devices and networks have been hardened in recent years, hackers’ attention has turned to the individual. Every organisation has people and they have become the easiest target. Social engineering techniques can be sophisticated and exploit our human nature. Phishing is also the number one cause of ransomware, the attack which cryptographically locks machines across organisations, holding them to ransom. Is the trust model broken? Do we trust too much, verify too few?
Keeping to a zero trust model
In the zero trust model, where devices are considered unsafe — regardless of company ownership, VPN and network perimeter — there are fine-grained identity and access management controls for users and services. But what about the internet and the web? Where do they fit in with the “never trust, always verify” model? Today, they don’t. The openness of the web means security providers often create blocklists by discovering sites that are found to be malicious, by automation and reporting. But, today’s blocklist services like Google Safe Browsing, Netcraft, ESET, Sophos, and the 90 vendors listed on VirusTotal miss vast numbers of phishing. Employees are often left to fill in the gaps and make crucial trust decisions that they shouldn’t have to make, and they can easily make the wrong decision. Anyone can fall for a phishing attempt, no matter the technical expertise of the person.
The internet was always known to be an open and untrusted environment, one to be supplanted with protocols like TLS and HTTPS to make it secure. But certificates confer encryption of the message, not authenticity of the intended server, when used in browsers. The DNS and domain names are not suited for human consumption — how are people meant to know that metrobankonline·co·uk is the official site, not metrobank·co·uk? What about login-paypal·com rather than login·paypal·com?
Should we rethink trust on the web?
How can we keep up with the rising tide of phishing on the sole basis of finding all or most of the malicious sites that pop up. Despite advances in automation and AI, can we honestly expect, in this cat-and-phish game, that blocklist services can catch most of the phish? Can businesses afford this risk? As an alternative, if an allowlist existed that covered enough of the web, would this crack the so-far intractable problem of phishing? If adopted, people and businesses could deal with entities trusted by the global community, by default.
Looking to 2023, organisations need to consider whether the status quo is sufficient, and whether we all will continue to accept the rise in phishing.