Board of Directors do not see ransomware as a top priority

Only 23% of company directors consider ransomware to be a top cyber security priority, even though 59% of organisations have at some point fallen victim to a ransomware incident, according to a new Egress study.

Egress, the leading provider of intelligent email security, has released findings of its 2022 Fighting Phishing: The IT Leader’s View survey. It was found that 84% of organisations were victims of phishing, while 98% of organisations deliver anti-phishing training.

The research was conducted by Arlington Research and polled 500 IT leaders across the US and UK from a variety of industries, including financial services and legal. The results highlight the continued detrimental impact phishing attacks and ransomware can have on an organisation and the need to address the human activated risk component created by people within an organisation. 

Growth of phishing attacks

New phishing and ransomware attacks continue to make headlines, and Colonial Pipeline, Kaseya, Conti, Log4j and more are still being heavily discussed. The survey confirmed that phishing and ransomware are causing the ‘perfect storm’ and there is a disconnect about the prioritisation of cybersecurity at the Board level.

“Cybercriminals are continuing to leverage sophisticated social engineering attempts to catch users at a weak moment and gain access to the sensitive data they’re seeking. The results of this study show that cybersecurity training is limited in its effectiveness and it’s a big ask for people within an organisation to be constantly vigilant to phishing threats,” said Jack Chapman, Vice President of Threat Research at Egress.

“It’s imperative that organisational leadership, including the board of directors, focus on what’s needed to provide the most effective cybersecurity protection for that organisation. That includes evaluating overall spend and what’s in the security stack, looking to intelligent technology to tackle sophisticated phishing attacks.”

A need for cyber security training to keep organisations safe  

Egress found that 70% of IT leaders would refuse a ransomware demand, while, it also reported that as many as 70% of financial services firms had experienced a ransomware attack in 2021, with the average payout standing at about US$91,000.

Turning to phishing, Egress’ study reported that 98% of organisations now deliver anti-phishing training to their teams. However, half allocate less than a quarter of their security budget to actual anti-phishing measures.

This was despite the fact that 84% of organisations have been hit by attacks that originated with a phishing email, and 66% specifically by business email compromise (BEC), an exploit in which attackers successfully compromise a C-suite target email and use it to trick another employee into sending them money.