You can’t battle an enemy without knowing what you’re up against, which is why reviewing studies such as the one we’ll be exploring today is so important. Not only is it fundamental for those who are working on cybersecurity within a company, but also for the executive team who is a lot less aware of the real dangers their company is up against.
There’s a lot less talk around certain cyber threats in the day to day media, which unintentionally gives a false sense of security against them; or at the very least, makes organizations unprepared to battle them. Phishing attacks are one of those less discussed areas in the media, yet they represent a real problem for businesses. Let’s explore the findings of PhishLabs’ study to see why that is; as well as acknowledge what this tells you moving forward when it comes to your data security action steps.
Cloud storage providers are at high risk
- Based on attack volume, cloud storage nearly surpassed financial institutions as the most phished industry in 2016.
This says something very significant to all businesses, cloud storage providers will most likely be a main target of phishing attacks in 2017 and the years to come; putting every business that uses cloud storage at risk, not just the cloud storage providers.
Access to data for one account means access to multiple accounts
- volume of attacks targeting sites with massive user bases, such as cloud storage providers, has exploded because phishers can mass harvest email address/password pairs this way.
Once this information is gained, phishers automatically gain credentials to multiple accounts in addition to the one they directly phished because nowadays email addresses are used to gain access to other accounts, not unique usernames; and since passwords are reused, it’s highly likely that they’ve also gained that information without the need to target anyone else.
Additional key findings to understand the extent of phishing attack risks
- Phishing sites residing on more than 170,000 unique domains have been identified, which is a 23% increase from previous studies.
- Phishing volume has grown an average of more than 33% across the five most targeted industries.
- Since 2014, attacks against government tax authorities have grown more than 300%.
- January 2016 saw more IRS phishing attacks than there were in all of 2015.
- Phishing attacks on Canadian institutions grew 237% more than any other country.
- Ransomware attacks (the predominant type of malware distributed via phishing) are focusing on organizations that are more likely to pay ransom; these include: healthcare, government, critical infrastructure, education, and small businesses.
- Differently from last year, phishing volume peaked mid-year due to the influence of major global events such as Brexit, and a spike was seen in virtual web server compromises.
- The US accounted for more than 81% of all phishing attacks.
- Even though 59% of phishing sites were hosted in the US, a significant increase in the number of phishing sites hosted in Eastern Europe was seen.
- Even though the .com top-level domain (TLD) was associated with more than half of all phishing sites in 2016, new generic TLDs are becoming a more popular option for phishing because they are low cost and can be used to create convincing phishing domains.
- Of more than 29,000 phish kits (a collection of files containing the files and graphics needed to easily create a phishing site) analyzed, more than a third used techniques to evade detection.
With these insights into phishing attacks, it should become clear that no matter where you store data, it is always at risk. This is why you want to stay on top of breach news and why you want to ensure your data storage provider(s), stay on top of their security measures. This means setting up agreements if they are business partners, but also having a security professional take a look to give you an expert overview and analysis of the security measures taken by them. It’s like when you bring a car to the mechanic, you usually prefer going with someone you trust that knows about cars to avoid missing any valuable information or to avoid being given half and/or incorrect information.
You’re going digital now, cybersecurity is really not an option at this point, as is having a good grasp of your security risks so that you can put in your best efforts to minimize breach and damage to your business.
Give us a call if you’re in need of assistance in developing a holistic cybersecurity program, ensuring what you have set up so far is actually working to protect your data, and to be knowledgeable of your external digital storage service providers’ level of security, as well as any business partner that has access to your data.
We’re here to help, all you have to do is ask! Schedule your free consultation today.
Photo courtesy of Brian A Jackson