Dubai, UAE, February 9, 2021: Proofpoint, Inc., today released its seventh annual State of the Phish report, which explores enterprise phishing experiences and provides an in-depth look at user awareness, vulnerability, and resilience. More than 75% of surveyed infosec professionals said their organisations faced broad-based phishing attacks—both successful and unsuccessful—in 2020, and ransomware infections impacted 66% of third-party global survey respondents.
“Threat actors worldwide are continuing to target people with agile, relevant and sophisticated attacks and email remains the top threat vector. As work from home continues for many organisations across the Middle East, it is important for people to understand how to spot and report attempted cyberattacks”, said Emile Abou Saleh, Regional Director, Middle East and Africa for Proofpoint. “At the end of the day, remote working can often mean that you are not protected by the same safeguards your office has in place”, he concluded.
Proofpoint’s State of the Phish report emphasises the need for a people-centric approach to cybersecurity protections and awareness training that accounts for changing conditions, like those experienced by organisations throughout the pandemic. Survey findings reveal a lack of tailored training. For example, 82% of infosec survey respondents said their workforce shifted to working from home in 2020, yet only 30% trained users on safe remote working.
Proofpoint’s State of the Phish details actionable advice as well as a deep analysis of the phishing threat landscape to help reduce risk. Key global findings include:
- More organisations experienced successful phishing attacks in 2020 2019 (57% vs. 55%) according to the third-party survey.
- Of the two-thirds of survey respondents who said their organisation experienced a ransomware infection in 2020, more than half decided to pay the ransom in the hopes of quickly regaining access to data. Of those who paid, 60% regained access to data/systems after the first payment. However, nearly 40% were hit with additional ransom demands following an initial payment—a 320% year-over-year increase.
- Eighty percent of organisations surveyed indicated that security awareness training has reduced phishing susceptibility. But while 98% of infosec professionals surveyed said their organisation has a security awareness training program, only 64% offer formal training sessions to users.
- Proofpoint customers’ overall average failure rate on phishing simulations was 11%, down from 12% in 2019. The overall average resilience factor of 1.2, indicating that, in general, these organisations’ users are more likely to report a suspicious email than to interact with it.
- Manufacturing organisations faced the highest average volume of real-world phishing attacks in 2020 according to Proofpoint Threat Research. Organisations in this industry were among the most active in testing their users’ response to phishing threats, achieving an overall failure rate of 11%.
- At the department level, purchasing teams were top performers, with a 7% average failure rate. Maintenance and facilities teams were the worst-performing departments analysed, registering average failure rates of 15% and 17%, respectively.
“Social engineering attacks go beyond email as attackers use social media, text messages and even voicemail to trick users. Organisations in the Middle East need to remain alert and foster a strong security culture among its employees through effective and ongoing security awareness training underpinned by a human-centric cybersecurity approach”, added Abou Saleh.
Organisations are encouraged to proactively develop people-centric cybersecurity strategies that account not only for shared experiences across regions, industries, and departments, but also the threats that are unique to their missions, goals, and people.
