83% of UK businesses face phishing attacks as threat's penetration looms
Due to more people working at home, phishing attacks have increased tremendously over the last year. Lack of cybersecurity in the home environment has made people more vulnerable to receiving fraudulent emails or being directed to deceiving websites.
According to the data presented by the Atlas VPN team, in the past 12 months, 83% of UK businesses experienced phishing attacks. Compared to 2017, current results indicate an evolution of the types of breaches that organizations face – moving away from direct malware and more towards phishing.
The data is based on the Cyber Security Breaches Survey 2021 commissioned by the Department for Digital, Culture, Media, and Sports (DCMS) in the UK. It interviewed 1,419 UK businesses, 487 UK registered charities, and 378 education institutions from 12 October 2020 to 22 January 2021.
Other significant types of attacks come from criminals impersonating well-known organizations via emails or websites. In total, 27% of businesses have suffered from such attacks.
Email impersonation happens when a cybercriminal creates an email so that it appears it has been sent by someone else. Typical intentions of an attacker are tricking their victims into making money transfers or sending your business clients sensitive data.
It is interesting to notice that viruses or malware attacks had fallen to only 9%, compared to 2017 when 33% of companies reported experiencing virus or malware attacks. It seems that cybercriminals have moved to phishing attempts, which have risen by 11% in the past four years.
At the same time, businesses reported that 8% of cyber-attacks experienced in the past 12 months were denial of service (DoS). These kinds of cyber-attacks shut down a machine or network, making it inaccessible to its intended users.
Not only a considerable amount of businesses but also 79% of charities have reported phishing attacks. Almost one-quarter of charities received impersonation of organizations emails. Charities were also more susceptible to virus or malware attacks compared to businesses.
Half of the organizations have not taken any measures to identify cyber-risks
As cyber-attacks began increasing in the past few years, some organizations started taking action to identify and minimize cyber risks. However, such practices are still not as widely used as they should be.
Out of all surveyed organizations, around half (52%) have established at least one cybersecurity measure in the last 12 months. However, this means that the other half has not taken any action to evaluate their cybersecurity.
Indeed, not all organizations are expected to undertake the usual steps to diagnose the cyber risks as it all depends on their risk profiles.
The majority — 35% of businesses — use specific tools designed for security monitoring as part of their cybersecurity risk identification measures. Even though the cyber-attacks have increased, the percentage of companies using security monitoring tools has dropped by 5% compared to last year’s results.
Risk assessment covering cybersecurity risks is a close second, with 34% of businesses employing this method. While doing such reviews, companies should determine their information value, identify and prioritize assets, recognize cyber threats, analyze the current controls and implement new rules if needed. By calculating the likelihood of possible attacks and taking the right actions beforehand, companies could save a lot of money if a breach were to occur.
Altogether 20% of businesses have tested their staff with mock phishing exercises. At such activities, employees get an email that might look like one from a trustable source. However, it is just a bait to check how staff reacts. Usually, businesses come back with the test results to their employees to let them know what actions they should take if they get a similar email.
Finally, 15% of businesses reported that they have carried out a cybersecurity vulnerability audit. Large companies or high-income charities more commonly perform these. They have more resources to hire audits and have more valuable information they do not want to risk losing due to security issues.
It is great to see organizations taking action to identify and manage cyber risks. However, it is pretty concerning that only half of all organizations react to the increase of cyber threats.
As cybersecurity threats will only continue to grow in the future, it would be in companies’ best interest to initiate measures to minimize cyber risks and protect their employees and clients.