Surveys reveal no consensus
There is currently no consensus between business decision makers and cyber security executives on whether ransomware attacks or phishing emails are the most significant threat to their organisation.
Ultimately the question comes down to how to defend ourselves against the scourge of ransomware and phishing emails, and perhaps to see that a human firewall is the best solution. But more on that later.
Security firm Clearswift revealed the findings of its survey of 600 business decision makers across the UK, US, Germany and Australia on how they viewed and ranked various forms of cyber-threats. Of those decision makers, 59% said that they viewed phishing emails as the biggest threat to their businesses.
These survey respondents did not comment on the threat posed by ransomware or DDoS attacks. 31% said that USBs were a major threat as they can easily be infected with malicious code, and around a third of them listded the lax attitude of employees as the most dangerous – something that many experts feel is a growing threat.
On the other hand, Bitdefender surveyed 250 information security experts, revealing that 44% of them viewed the biggest threat to their businesses was the cyber-behaviour of their C-Suite colleagues. As well as this, 75% of respondents stated that those representing their management were the most likely to flaunt data security rules.
There was a contrast in results between the two surveys – only 11% of security experts agreed that phishing attacks were the biggest threat, while 38% felt that ransomware and DDoS attacks are the ones to look out for. They were also asked to rank each business department on the likelihood they would fall victim to a cyber attack. Finance was the most likely to be targeted at 23%, then Sales at 17% and another 14% chose HR. This correlates closely with the departments that handle large amounts of sensitive data.
There seems to be quite a difference in how the threats are viewed by the two groups. In an interview with SC Magazine UK, Stephen Burke, founder & CEO at Cyber Risk Aware responded to this difference of opinion. He suggested that there is a bigger issue “organisations are focussing on keeping up to date with the latest cyber-defence technology rather than on the target for phishing attacks: the employees themselves”.
“In many organisations, end-user awareness is a security weak spot which is why it’s vital to educate all employees on how to spot and report, on phishing emails to prevent an attack in the first place. This is increasingly important as cyber-criminals have fully commercialised their offering and are able to bypass email security gateways to target individual users. Building a ‘human firewall’ – in which the employees can flag phishing emails – is an important part of a multi-layered security strategy,” he added.
Stephen Giguere, an EMEA engineer at Synopsys said “In a way, both sets of research are agreeing with one another. They also show a potential misinterpretation of the problem by some C-suite executives who rate ransomware over phishing. Several studies have shown that over 90% of phishing emails are designed to deliver ransomware”
“You might consider that ransomware is the symptom and in fact, phishing is the problem, but it would be advised to address both. While the perceptions aren’t surprising as both ransomware and DDoS are media favourites, perception should not be the foundation of a cyber-security initiative”.