According to a recent survey from Ivanti, nearly three-quarters (74 percent) of IT professionals reported that their organizations have fallen victim to a phishing attack – and 40 percent of those happened in the last month alone. Increasingly, mobile phishing is the culprit.
What’s more, nearly half of these professionals cited a lack of the necessary IT talent as one of the core reasons for the increased risk of phishing attacks.
So how can organizations overcome the sudden increase in security threats and regain the upper hand against bad actors with fewer resources than ever before? Increasingly, it looks like zero-trust will become the ideal approach for doing more with less, because ultimately, it’s the users and their cyber-hygiene that’s the first line in phishing defense.
Let’s take a look at the latest phishing trends.
Where Big Phish Lurk in the Everywhere Pond
As organizations across all industries have shifted to distributed work environments, it’s no longer the task of security teams to manage access to data and systems from a specific location. Rather, employees are accessing work-related information on their personal devices from locations all over the globe, making it significantly more challenging for IT personnel to track and verify each and every connected device.
Because of this shift, bad actors have evolved their phishing attacks and are now focusing their efforts on employees’ personal mobile devices – and as our survey results showed, are finding great success with this approach. Hackers have also been leveraging botnet infections to harvest legitimate emails to create more convincing phishing attacks that are highly effective. This is concerning, as phishing attacks often evolve into ransomware attacks.
The annualized risk of a data breach resulting from phishing attacks has a median value of about $1.7 million, and a long-tail value of about $90 million – and this high risk for your organization proves a high reward for bad actors. Recent research from Aberdeen further emphasizes this risk, finding that attackers have a higher success rate on mobile endpoints than on servers.
As anyone, no matter how technically savvy, is at risk of falling victim to phishing attacks, it’s vital that organizations rethink their approach to security as a whole to combat these threats.
Checklist for a Zero-Trust Approach
Your company’s security lies first and foremost in the cyber-hygiene of employees – and that’s why the user experience should be a core focus of any security strategy. As remote work establishes itself as the new normal, ensuring that best practices are as simple as possible to complete will make or break your security efforts. And a zero-trust approach can provide organizations with the best of both worlds.
Zero-trust security requires organizations to continually verify any and all devices that are connected to its network every single time, with zero exceptions. As part of a zero-trust strategy, organizations should look to the following strategies:
- Leverage machine learning to conduct continuous device posture assessment, role-based user access control and location awareness before granting access to data.
- Automate routine security updates – thus eliminating the risk of employees delaying necessary security patches and other updates.
- Invest in mobile threat-detection software that can detect and thwart issues in real time.
- Eliminate passwords from the business landscape entirely and replace these security processes with multifactor authentication (MFA) that utilizes biometrics or other information to verify users and eliminate the overall “phishability” of routine login processes.
Through these tactics, organizations can streamline key security processes and continually secure all endpoints to minimize threat risk faster than ever before.
Plenty of Phish in the Sea
The modern threat landscape has transformed entirely – and as new avenues and opportunities for phishing scams arise, bad actors will continue inventing new attack tactics, hoping to outsmart your organization’s employees and make them take the bait.
As a result, organizations can no longer rely on traditional security protocols to protect themselves in the work-from-anywhere environment, especially since users continue to be a weak link.
After all, the Ivanti survey found that one third (34 percent) of those surveyed blame the increase on phishing attacks on a lack of employee understanding, and even fewer (30 percent) said 80-90 percent of their organizations had completed security trainings offered by their companies.
Luckily, by implementing a zero-trust security strategy – including implementing multifactor authentication, automating security updates and more — organizations will be better equipped to mitigate these threats as they arise and protect their business-critical systems and information.
Neither your employees nor bad actors intend to go back to the way they used to work. It’s time your security strategy adapts to the modern business landscape, too.
Daniel Spicer is Chief Security Officer at Ivanti.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.