Phishing is still the biggest threat to organisations, claims Cyren in its latest security blog. The blog analyses incident response and other data gathered by Cyren products. Importantly, it goes on to say: “ this data represents incidents that Cyren detected and remediated. The data might paint a different picture if we analysed organisations that were compromised.”
The company believes that phishing is used as the primary foothold for a range of other attacks from BEC to ransomware. It also contrasts phishing against malware and BEC attacks across four industries, healthcare (76%), finance and insurance (76%), manufacturing (85%) and real estate (93%). What is interesting about its analysis is that the rest of the attacks against healthcare (24%) are all BEC attacks. It says it detected no malware attacks at all. While this is a surprise, the company offers an explanation.
“Robust malware detection capabilities in the healthcare industry explains the high rate of BEC attempts. Attackers understand that they can’t easily slip malware past automated defenses, so they have shifted to social engineering tactics.”
The intensity of attacks varies by industry
The blog also looks at the number of attacks per 100 users across a wide range of industries. There are around 380 attacks per 100 users in education compared to oil and gas at under 10. However, it then qualifies that education number by saying it includes faculty and students. Exclude education and construction sets the high bar at around 155 attacks per 100 users.
Cyren also calls out employee mailboxes as a key attack surface. It is a message that the cybersecurity industry has been putting out for over 20 years. That it still rates as the biggest attack surface raises questions for many security products. IT security teams have invested vast sums of money in detecting phishing and spam. Yet, Cyren claims that IT is losing two business days, presumably per month, defending email attacks. It raises the question, how poor are many of the tools that IT is investing in to protect email?
Excluding education again, US state and local government is dealing with 2.4 email threats per 1,000 emails. In finance and insurance, that number drops to around one email per 100,000 emails. It is a number that seems far too low compared to other security reports.
Enterprise Times: What does this mean?
This blog is useful because it shows what one vendor sees, especially in terms of email threats. It also shows that there is much more to be done by vendors who claim to protect inboxes from phishing and other attacks