Jul 20, 2021

Ivanti study says businesses losing the war against phishing

Ivanti
Cybersecurity
cyber
phishing
3 min
Nearly three-quarters of organisations have fallen victim to a phishing attack in the last year and more than half have suffered from IT talent shortages.

Ivantithe automation platform that discovers, manages, secures, and services IT assets from cloud to edge, has announced the results of its phishing survey. The survey of over 1,000 enterprise IT professionals across the US, UK, France, Germany, Australia and Japan found the global shift to remote work has exacerbated the onslaught, sophistication and impact of phishing attacks. Nearly three-quarters (74%) of respondents said their organisations have fallen victim to a phishing attack in the last year, with 40 per cent confirming they have experienced one in the last month. 

Eighty percent of respondents said they have witnessed an increase in volume of phishing attempts and 85 per cent said those attempts are getting more sophisticated. In fact, 73 per cent of respondents said that their IT staff had been targeted by phishing attempts, and 47 per cent of those attempts were successful. Smishing and vishing scams are the latest variants to gain traction and target mobile users. According to recent research by Aberdeen, attackers have a higher success rate on mobile endpoints than on servers – a pattern that is trending dramatically. Meanwhile, the annualised risk of a data breach resulting from mobile phishing attacks has a median value of about $1.7M, and a long tail of value of about $90M.

Ivanti says hackers are exploiting enterprise security gaps in the 'Everywhere Workplace', in which remote workers are using mobile devices more than ever before to access corporate data. Thirty-seven percent of respondents cited a lack of both technology and employee understanding as the main causes for successful phishing attacks. However, 34 per cent blamed successful attacks on a lack of employee understanding. While 96 per cent of IT professionals reported that their organisation offers cybersecurity training to teach employees about common attacks like phishing and ransomware, only 30 per cent of respondents said that 80-90 per cent of employees had completed the training. 

The Ivanti survey also found that the effects of phishing attacks have been exacerbated by shortages of IT talent. More than half (52%) of respondents claimed their organisation has suffered from staff shortages in the past year, and, of those respondents, 64 per cent confirmed under-resourcing as the cause of longer incident remediation times. With fewer members of staff, the ability to mitigate security issues speedily has been vastly reduced. Any downtime caused by a security incident costs an organisation money and damages productivity. Furthermore, 46 per cent cited increased phishing attacks as a direct result of staff shortages. 

Derek E. Brink, Vice President and Research Fellow at Aberdeen Strategy & Research says: “Reducing the risk of phishing attacks is a race against time, in more than one dimension. Enterprise IT pros must stay ahead not only of the attackers who are constantly crafting new attacks, but also of their own users, who are shockingly quick to click on malicious links.

“While many organisations have been making investments in security awareness training initiatives, they should also be prioritising and applying advanced automation, artificial intelligence, and machine learning technologies to more quickly and consistently identify, verify, and remediate phishing threats.”

Chris Goettl, Senior Director of Product Management at Ivanti adds: "Anyone, regardless of experience or cybersecurity savvy, is susceptible to a phishing attack. After all, the survey found that nearly half of IT professionals have been duped.

“To effectively combat phishing attacks, organisations need to implement a zero trust security strategy that incorporates unified endpoint management with on-device threat detection and anti-phishing capabilities. Organisations should also consider getting rid of passwords by leveraging mobile device authentication with biometric-based access to eliminate the primary point of compromise in phishing attacks.”

Share article