Middle managers in sales, finance and procurement represent the weakest link to organizations when it comes to phishing emails that lead to advanced attacks, according to new research from Proofpoint.
The messaging security player analysed stats thrown up by its Targeted Attack Protection product to compile a Human Factor 2015 report into the weakest link in cybersecurity.
It found that around 4%, or one in every 25, malicious messages were clicked on irrespective of the volume of emails received. All industries are at risk – although finance and banking experienced around 41% more than the average.
Other sectors getting the attention of cyber-criminals include healthcare and insurance organizations, and others such as manufacturing, shipping, energy, utilities, and construction, the report claimed.
The latter few were largely avoided up until recently but have become valuable targets of late to attackers looking for direct financial gain and IP theft.
CISOs should take note that while all users are being targeted, middle managers in particular are under fire, perhaps because they click on malicious links twice as frequently as execs.
Sales, finance and procurement staff do so 50-80% more than the departmental average, the report added.
Voicemail message alerts and other communication notification emails were most likely to succeed in getting users to click through, and malicious attachments have become far more common than URLs this year, Proofpoint claimed.
Tuesday is the most active day for clicking – accruing 17% more than other weekdays, with attacks falling mainly during business hours.
It’s also interesting to note that two-thirds of all users click on a message on the first day it arrives in their inbox, reinforcing the need for effective systems which spot and block malicious emails in the cloud before they appear to staff.
Mark Sparshott, EMEA director at Proofpoint, argued the research shows IT teams must assume phishing emails have already bypassed their security gateways.
“They must acknowledge this as the new norm and that even the best user awareness training is delivering a diminishing reduction on URL and attachment open rates as the attackers increase their rate of innovation in message content and delivery infrastructure,” he told Infosecurity.
“The only sustainable approach is to deploy additional technology layers and threat feeds that enhance the detection of phishing emails and indicators of a breach combined with tools and processes that automated and expedite incident response.”
Eset security specialist, Mark James, argued that a multi-layered strategy involving good education, good security software and systems which are all patched and up-to-date, is a vital first step to improved resilience.
“Try to have procedures in place for dealing with both internal and external emails; a few basic rules can be the difference between a successful attack or not. A lot of the time it makes a difference if you spend five minutes checking the sender is correct for an email that looks a little dodgy,” he told Infosecurity.
“The rules must apply to all levels of staff; education is great but assuming that managers and executives are exempt is ludicrous. Don’t be concerned about checking to see if an internal message or even text is from the executive it says it is. If an email is asking for sensitive information then check before you send.”