The third quarter of 2021 saw a notable dip in phishing incidents, according to new research, but ransomware attacks and notable financial losses remain top fallouts.
A recent report from CRA Business Intelligence and sponsored by Cofense was based on results of a survey first conducted from September to November 2021 among 351 IT and cybersecurity decision makers and practitioners from large organizations across North America, Europe, Middle East, and Asia/ Pacific. The same survey was also conducted in April/May 2021 among 353 respondents with similar profiles to assess any shifts in results.
CRA’s survey found that the average number of Q3 2021 phishing incidents for those that experienced an incident was five, the same as Q1 2021. Phishing represented an average of 29% of all cybersecurity incidents in Q3, compared to 32% in Q1.
Financial loss remains the top impact of phishing incidents. Overall, Q3 2021 impacts remained similar to Q1 2021: 41% in the fall compared to 44% in the spring. The top impact for 36% of respondents was an erosion in how much their clients trusted them to protect their personal information, roughly the same (38%) in the spring.
Some 39% experienced a customer data breach in Q3 2021, nearly the same (37%) in Q1 2021. A similar number of respondents experienced loss of intellectual property and other data, and bad press while 31% were forced to pay regulatory penalty fines.
Overall, nearly half of all respondents experienced an increase in phishing in Q3 2021 — significantly lower than Q1 2021 — while about 1 in 4 experienced the same frequency since Q1 2021.
The respondents from these major companies say they are still struggling to keep up with phishing. Once phishing has been identified, it took an average of 1.7 hours in Q3 2021 to investigate and remediate, up slightly from an average of 1.3 hours in Q1 2021.
Other important findings from the CRA study include the following:
- Email attachments and links were the top sources for phishing, accounting for about one-third of all phishing incidents in Q3 2021 (slightly more compared to Q1 2021).
- On average, slightly less than one-third of Q3 2021 IT budgets were spent on phishing software/technology, similar to Q1 2021.
- Organizations adopted more defenses in Q3 2021, including increased employee awareness training, email security solutions, and phishing risk assessment tools and software/platforms.
- Compared to Q1 2021, Q3 2021 phishing responsiveness significantly increased for employee awareness training, internal communications, and incident response team activation.
- Rapid reporting, increased user awareness, and reduced response time remain the top benefits of phishing defense software/technology in Q3 2021.
- Roughly half (52%) of respondents in Q3 2021 believed they are “very” or “extremely” effective in responding to phishing, similar to Q1 2021.
- In Q3 2021, more than half of all respondents said they struggled to stay ahead of the phishing volume, and most (56%) believed phishing attackers will be more effective in the next 12 months.
The respondents also acknowledged the role employee training plays in all employee-focused cybersecurity efforts. A vast majority of the respondents said employee training has become equally important as technology in preventing phishing incidents. The CRA survey’s findings suggest that companies should direct training to both technical and non-technical staff at all levels, from entry-level employees to senior management. In describing specific employee training scenarios, respondents mentioned the following requirements for their organization:
- Pre-training of new employees.
- Proper training for management teams.
- In-depth training to the staff of their IT departments.
- Employee training tools to help identify risks and teach them to recognize phishing attempts.