Share this article on:
Proofpoint’s 2022 State of the Phish report reveals that tailored security awareness training remains critical for protecting hybrid work environments after email-based attacks dominated the threat landscape in 2021.
Proofpoint’s eighth annual State of the Phish report, which provides an in-depth look at user phishing awareness, vulnerability and resilience, revealed that attackers were more active in 2021 than 2020. Findings uncovered more than three-quarters (78 per cent) of organisations saw email-based ransomware attacks in 2021, while 77 per cent faced business email compromise attacks (BEC) (18 per cent YoY increase of BEC attacks from 2020), reflecting cyber criminals' continued focus on compromising people, as opposed to gaining access to systems through technical vulnerabilities.
This year's report examined responses from commissioned surveys of 600 information and IT security professionals and 3,500 workers in the US, Australia, France, Germany, Japan, Spain and the UK. The report also analysed data from nearly 100 million simulated phishing attacks sent by Proofpoint customers to their employees over a one-year period, along with more than 15 million emails reported via the user-activated PhishAlarm reporting button.
The report includes regional, industry and departmental benchmarking data that emphasises the need for a people-centric approach to cyber security. It also highlights real-world phishing examples and illustrates the value of a training solution that accounts for changing conditions, like those experienced by organisations throughout the pandemic.
Attacks in 2021 also had a much wider impact than in 2020, with 83 per cent of survey respondents revealing their organisation experienced at least one successful email-based phishing attack, up from 57 per cent in 2020. In line with this, more than two-thirds (68 per cent) of organisations said they dealt with at least one ransomware infection stemming from a direct email payload, second-stage malware delivery or other exploit. The year-over-year increase remains steady, but representative of the challenges organisations faced as ransomware attacks surged in 2021.
Where 2020 taught us about the need to be agile and responsive in the face of change, 2021 taught us about the need to better protect ourselves, according to Alan LeFort, SVP and GM of security awareness training for Proofpoint.
"As email remains the favoured attack method for cyber criminals, there is clear value in building a culture of security. In this evolving threat landscape and as work-from-anywhere becomes commonplace, it is critical that organisations empower their people and support their efforts to learn and apply new cyber skills, both at work and at home," LeFort said.
The shift to hybrid working accelerated in 2021, with 81 per cent of organisations saying that more than half of their employees are working remotely (either part or full time) due to the pandemic. However, only 37 per cent educate workers about best practices for remote working, illustrating a worrying gap in security best practice knowledge for the "new normal" of working.
For example, 97 per cent of workers said they have a home Wi-Fi network, but only 60 per cent said their network is password-protected, a major lapse in basic security hygiene.
LeFort added that Infosec and IT survey participants experienced an increase in targeted attacks in 2021 compared to 2020, yet their analysis showed the recognition of key security terminology such as phishing, malware, smishing and vishing dropped significantly.
"The awareness gaps and lax security behaviours demonstrated by workers creates substantial risk for organisations and their bottom line. Our 2022 report offers actionable advice aimed at enhancing user awareness, reducing risk and protecting people," LeFort said.
Additional State of the Phish report global findings include the following key takeaways:
[Related: VeroGuard receives Common Criteria certification for VeroGuard Platform]