Talent shortage, especially in the IT department, is now a direct cybersecurity threat.
It’s one of the key conclusions from an Ivanti survey of over 1,000 enterprise IT professionals across the U.S., U.K., France, Germany, Australia, and Japan, which also showed an increase in successful attacks.
One reason is remote working. Remote workers are using mobile devices more than ever to access corporate data. As a result, 37% of respondents said a lack of both technology and employee understanding allowed phishing attacks.
Companies did increase their training during the pandemic to address this knowledge gap. In the survey, 96% of IT professionals reported that their organizations offered cybersecurity training to teach employees about common attacks like phishing and ransomware.
But what is often missed is how many of these IT employees complete their training sessions. Only 30% of respondents said that 80-90% of employees had completed the training, creating a gaping hole for threat actors to exploit.
The trouble is that these actors are exploiting this gap and are being successful.
More than half (52%) of respondents claimed their organization suffered staff shortages in the past year. Of those respondents, 64% confirmed under-resourcing in the IT department is the cause of longer incident remediation times.
With fewer IT staff, the ability to mitigate security issues speedily is vastly reduced. Threat actors are piling on more phishing attacks when they see IT staff shortages. In the survey, 46% of respondents noted an increase in phishing attacks due to staff shortages.
Having more IT staff is not going to solve the problem either. Seventy-three percent of respondents indicated that phishing attempts had targeted their IT staff. The trouble is that 47% of those attempts were successful.
“Reducing the risk of phishing attacks is a race against time, in more than one dimension. Enterprise IT pros must stay ahead not only of the attackers who are constantly crafting new attacks but also of their own users — who are shockingly quick to click on malicious links,” said Derek E. Brink, vice president and research fellow at Aberdeen Strategy & Research.
All these factors are creating a massive surge in phishing.
According to the survey, 74% of respondents said their organizations had fallen victim to a phishing attack last year; 40% confirmed they had experienced one in June 2021. Meanwhile, 80% said they had witnessed an increase in the volume of phishing attempts.
It is not just the volume of attacks that is increasing. Sophistication reached new heights, said 85% of respondents.
Smishing and vishing scams are the latest variants to gain traction and target mobile users. According to recent research by Aberdeen Strategy & Research, attackers have a higher success rate on mobile endpoints than on servers — a pattern that is trending dramatically worse. Meanwhile, the annualized risk of a data breach resulting from mobile phishing attacks has a median value of about USD 1.7 million and a long tail value of about USD 90 million.
Analysts are calling companies to drive up their sophistication in thwarting phishing. However, relying on training or having more IT staff may not be enough.
“While many organizations have been making investments in security awareness training initiatives, they should also be prioritizing and applying advanced automation, artificial intelligence, and machine learning technologies to more quickly and consistently identify, verify and remediate phishing threats,” said Brink.
Image credit: iStockphoto/Kagenmi