Published on the 04/10/2019 | Written by Heather Wright

Phishing prime cause of breaches, report says…

Businesses may want to step up their phishing simulations and training in the wake of a new survey which shows 56 percent of Australians have had their personal or financial data compromised at least once, with large numbers still not taking the simple precaution of changing their password after an incident.

The Hook, Line and Sinker: Why Phishing Attacks Work report, from Wakefield Research for IT security vendor Webroot, highlights the increasingly believable nature of phishing attacks and how easily they’re catching out Australians – despite 91 percent of Aussie respondents saying they can distinguish a phishing message from a genuine one.

That overconfidence is putting Australian businesses, and their data, at risk, Webroot says.

“With strong pressure to perform well at work, people are more likely to take this kind of bait.”

One thousand Australian’s were surveyed for the report, which was also carried out in America, the UK and Japan.

Meanwhile a new report from Carbon Black shows 97 percent of Australian organisations have suffered a data breach in the past 12 months, with phishing attacks the top cause of data breaches in Australia.

The second Australian Threat Report shows phishing attacks were the prime cause of breaches in Australia, accounting for 27 percent of data breaches. Phishing attack-related breaches were highest in government and local authorities at 44 percent, followed by financial services organisations (25 percent) and manufacturing and engineering (24.5 percent).

Hook, Line and Sinker shows 56 percent of workers in Australia say they’re more careful about clicking links or attachments at work than they are on personal devices (45 percent), but three in five have clicked a link from an unknown sender at work. More Australian workers have opened links in text messages than UK or Japanese counterparts.

The report says more scams are being reported in which employees receive a message from their boss, CEO or other manager, typically demanding that action be taken immediately. “With strong pressure to perform well at work, people are more likely to take this kind of bait.”

“Ultimately, urgency, familiarity and context have a strong impact on decision making,” says Cleotilde Gonzalez, research professor in the Department of Social and Decision Sciences at Carnegie Mellon University.

“If you already expect to receive emails from your boss at your office, and you are accustomed to message that request quick action, then you are likely to assume the message is real. It might never occur to you to suspect that it could be phishing.”

Webroot says while there’s no such thing as being over-educated when it comes to phishing, companies also need to ensure end users practice good online behaviour through regular phishing simulations and ensuring employees know how and where to report suspicious messages.

Understanding your businesses risk profile, ensuring mobile and remote workers devices are secured and the amount of unmonitored network access they have is restricted and planning for the worst with a data breach response plan that includes recovery strategies, security experts to contact and communications plans, are also recommended, Webroot says.

While there’s no foolproof way to prevent being phished Webroot notes that taking a layered approach to cybersecurity including ongoing user training will significantly reduce risk exposure. Forrester’s Now Tech: Security Awareness and Training Solutions, Q1 2019, report notes “your workforce should treat cybersecurity awareness with the same importance they use for ensuring that their projects, products, and messages are on key with company brand. Invest in solutions that weave security best practices throughout your corporate culture.”