Phishing is Killing Businesses. Execs Need to See That It’s Time for a New Approach.

March 31, 2022

The evidence is clear: phishing is a clear and present danger to organizations around the world and that danger is growing. All types of phishing threats have grown in the last 12 months, presenting businesses with even more challenges when it comes to protecting their assets from cybercrime. However, many business executives may not understand the danger that phishing really presents to their organizations and fail to see that old approaches to solving the problem aren’t getting the job done.  

AI is the secret weapon you’re looking for to boost business email security. SEE WHY>>

Fact: Phishing is The Biggest Cybersecurity Risk Businesses Face

The bottom line for businesses when looking at threats they may face is that phishing tops the risk charts, and it just keeps getting worse. A whopping 84% of businesses in a new study said that they were the victims of a successful phishing attack in 2021. That study went on to declare that there had been there has been a 15% increase in successful phishing attacks over the past 12 months, with the bulk of the attacks utilizing malicious links and attachments. That certainly tracks with other data about phishing with attachments.  Breaking the threat down further, while more than 50% of malicious attachments are from a variety of sources, the biggest takeaway is that an estimated 48% of malicious email attachments are something that most employees handle every day: Office files. Microsoft Office formats like Word, PowerPoint and Excel account for 38% of phishing attacks, followed by archived files such as .zip and .jar, which account for about 37% of malicious transmissions.   

To no one’s surprise, ransomware was by far the most common result of a successful phishing attack that organizations had to face. A shocking 59% of organizations that fell victim to a phishing attack in 2021 were then infected with ransomware, causing further complications and incurring big bills. In the UK, ransomware attacks doubled between 2020 and 2021, with the number of UK ransomware attacks reported to the UK Information Commissioner’s Office (ICO) in 2021 ballooning from 326 in 2020 to 654 in 2021. ransomware was a particular bane on infrastructure, with the U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center(IC3)2021 Report showing that organizations in 14 of 16 critical infrastructure sectors experienced at least one ransomware attack in 2021.

Compounding the problem and the impact, 39% of businesses hit by ransomware last year chose to pay their attackers, and the payments that they had to make were large. Average paid ransom amounts have increased by 82% to a record $570,000 (£414,000), compared with just $170,000 (£123,000) in 2020. The IBM Cyber Resilient Organizations Study 2021 offers some insight.  Only 35% of the impacted organizations in this study reported that their ransom demand was less than $2 million. Instead, the majority (46%) said that cybercriminals demanded ransoms of $2 – 10 million from their organizations and 19% reported a ransom demand of $10 million to more than $50 million. Of course, paying extortionists is never a good idea and paying ransoms may be illegal.

Learn how incident response planning boosts cyber resilience & security. GET THE EBOOK>>

Treating the Symptoms Won’t Solve the Problem

Organizations in every sector are at risk of attack, but some sectors are having a harder time than others right now. The most beleaguered sector of late 2021 was Banking and Finance, with almost one-quarter (22%) of ransomware attacks in the last part of 2021 directed at targets in that sector. But for Banking and Finance organizations, the entire year was a dangerous time to do business. Banking and Finance targets saw a 1,318% increase in the number of ransomware attacks waged against them in the first half of 2021.  An estimated one-fifth of ransomware attacks (20%) in the last half of the year were aimed at utility companies. Over 1,300 organizations in the Utilities sector including critical services, infrastructure, and supporting industrial targets were impacted by ransomware in 2021.   

However, just because organizations are drowning in a flood of phishing and facing more costly and dangerous threats from ransomware than ever before, that doesn’t mean that their leaders take the problem seriously or are making the right choices to solve it. They’re certainly not willing to spend money on it. Just over half of organizations (52%) allocate less than one-quarter of their security budget to dealing with phishing. What are they doing with the money? To prepare for phishing threats, 72% of businesses report that they’ve bought cyber insurance, which is growing less likely to cover ransomware damage, 64% say they’ve retained legal counsel and 55% say they’ve invested in forensic investigation. None of these measures will prevent phishing from impacting an organization, and they’re only somewhat helpful in cleaning up the mess in the wake of something like a ransomware attack

But executives aren’t really worried about that. Less than 25% of executives considered ransomware a top security priority. This is a great example of the fact that non-tech business leaders frequently fail to see the damage that cyberattacks can do and are generally unwilling to take sensible precautions against trouble, especially if it costs money. In a CNBC /Momentive Small Business Survey, a stunning 56% of the SMB owners surveyed said they are “not very concerned” about being the victim of a cyberattack in the next 12 months, and among those, 24% said they were “not concerned at all.” More than half (59%) of the executives surveyed were quite confident that even if they were hit with a cyberattack, they’d quickly resolve it. Only 37% were “not very confident” and only 11% were “not confident at all.”    

How safe is your email domain? Find out now with our domain checker. CHECK YOUR DOMAIN>>

SEGs Can’t Get the Job Done Anymore

For many organizations, it is becoming increasingly clear that a Secure Email Gateway (SEG) is not the answer. An overwhelming majority of IT leaders (89%) say that they’re experiencing at least one issue with the performance of their SEGs that impacts their satisfaction with that email security tool. Almost half of those IT leaders (46%) cited the high level of administration required to maintain a SEG as their biggest frustration. Interruptions to the flow of email traffic were also frustrating; 31% said that their SEG quarantines too many legitimate emails. About one-third (30%) said that their SEG was just too expensive. Other problems that IT leaders have are serious negatives to the security performance of a SEG including attacks bypassing it too easily (27%) and having no way to know which attacks are actually getting through (20%).  

The frustrations that IT leaders have with SEGs are a great indicator of why automated, cloud-native email security is the right move for organizations to make to reduce their risk and control their email security costs. In fact, organizations that choose to rely on security automation and AI instead of conventional security measures like built-in platform email security or a SEG can save more than 80% of the cost of manual security while enjoying a major protection boost – automated email security solutions capture about 40% more dangerous phishing messages than a SEG. 

The road to security success begins with 5 Steps to Ransomware Readiness! GET IT>>

Give Up Your SEG and Choose Affordable Automated Email Security 

Graphus is an automated email security solution that is powered by AI. That means that it can intelligently sort and filter the emails that come into a company’s environment to determine which ones are safe and which ones are suspicious. How does it do that? By using a unique, patented algorithm that fosters machine learning, enabling it to learn each company’s unique communication patterns and refine its judgment criteria all by itself to tailor that company’s protection now and in the future.     

TrustGraph® automatically detects and quarantines malicious emails that might break through an organization’s email security platform or existing Secure Email Gateway (SEG), so the end-user never interacts with harmful messages.    

EmployeeShield® alerts recipients of a potentially suspicious message to danger that they may not notice by placing an interactive warning banner at the top that allows users to quarantine or mark the message as safe with a single click.    

Phish911™ empowers employees to proactively report suspicious and unwanted emails for IT to investigate reducing your exposure to potential disaster.   

Stop phishing immediately with Graphus – the most simple, automated and affordable phishing defense available today. 

Learn the secret to ransomware defense in Cracking the RANSOMWARE Code. GET BOOK>>

Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus