A new study has found that, in the last 12 months, 43% of UK SMEs were targeted by phishing attacks in which hackers impersonated members of staff. Worryingly, the instigators behind two thirds of these attacks saw their plans bear fruit.
The study, conducted by security and data analytics firm CybSafe, surveyed 250 IT decision-makers at SMEs across the UK. Respondents were questioned about the attacks they had experienced and also asked what they were doing to protect the cybersecurity of their business.
CybSafe CEO Oz Alashe said: “Phishing is currently the dominant attack vector for entry into networks, and its popularity isn’t hard to understand. It’s easy to carry out, easy to profit from, and from the perspective of cybersecurity professionals, it’s notoriously difficult to defend against. Just one individual falling victim can be enough to give criminals the foothold required to access confidential information.
“Impersonation phishing attacks – personalised attacks which involve the impersonation of friends or family, or other members of staff – pose a particular threat. These attacks are highly convincing and have high success rates.”
A lack of company-wide awareness about phishing scams and cyber-threats in general could well be a contributing factor to the towering success rate hackers have enjoyed over the past year. The study found that fewer than half of the IT leaders questioned (just 47%) claimed to have a cybersecurity training and awareness program up and running.
“Our latest research shows that, despite the severity of this threat, UK businesses are taking very little action at the moment,” said Alashe. “Of those that are doing something, many are simply paying lip-service to security training for compliance reasons, and aren’t demonstrably reducing their human cyber-risk."
Respondents viewed email phishing as a much greater threat to their business than phone phishing. Pitted against nine other potential threats, email phishing was perceived to be the second most pressing threat (37%) behind only Malware. By contrast, phone phishing was believed to be the least (8.8%) urgent threat to business.
CybSafe’s report echoes the UK government’s own Cybersecurity Breaches Survey published earlier this year, which found that phishing attacks were the most common security attacks on businesses and charities in the UK.