Phishing dominated the cyber threat landscape in 2022, continuing its yearly rise. This year, we will likely see further fronts exposed with the backdrop of significant UK and global factors. Considering that the world economy is in recession, inflationary pressures, the costs of living and business, and government support packages – targeted campaigns will cut through and defraud many households and businesses. Phishing is expected to entrench its position as the number one cyber attack.
The statistics of security
The UK Government Cyber Security Breaches Survey for 2022, found that 31% of businesses and 26% of charities identified a cyber attack at least once every week.
In terms of the attack type, 83% of businesses reported that phishing was the cause, consistent with the previous year, and an increase from pre–pandemic levels of 80% in 2019. With more organisations reporting attacks each year, phishing is on the rise. The dominance of phishing is not a result of organisations failing to use defences, because most do — 79% of UK businesses use existing anti–malware software and firewalls.
The aftershocks of a breach are significant — one in three firms lost customers after a breach, as reported by IBM and Ponemon in their Cost of a Data Breach report in 2021. In their 2022 report, they found 60% of company breaches led to increased prices passed on to customers. IBM also found phishing causes the costliest breaches, at an average of $4.9 million.
With these sobering statistics, what can we conclude? Organisations are not putting in place the right defences and are spending their time in remediation, training and re–training. The defences used today are not making enough of an impact.
Many companies are strengthening their systems with multi–factor authentication, password policies, access control, email security and firewalls, but the statistics don’t change.
Thinking positively
So, how do we change the statistics? Possibly by thinking more positively – as an industry we’ve spent decades thinking negatively. We’ve been chasing threats and reacting to attacks. How can this approach keep up with threats at the internet scale?
We have potentially reached saturation point on current technology. We have firewalls, appliances, intrusion detection systems and heuristics – all about spotting the bad. Systems can’t keep pace and targeted campaigns get through and reach the individual, the most susceptible player.