HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

65% of U.S. Organizations Experienced a Successful Phishing Attack in 2019

The 2020 State of the Phish report from the cybersecurity firm Proofpoint shows 65% of U.S. organizations (55% globally) had to deal with at least one successful phishing attack in 2019.

For the report, Proofpoint drew data from a third-party survey of 3,500 working adults in the United States, United Kingdom, Australia, France, Germany, Japan, Spain along with a survey of 600 IT security professionals in those countries. Data was also taken from 9 million suspicious emails reported by its customers and more than 50 million simulated phishing emails in the past year.

Infosec professionals believe the number of phishing attacks remained the same or declined in 2019 compared to the previous year. This confirms what may cybersecurity firms have found: Phishing tactics are changing. Cybercriminals are now focusing on quality over quantity.

Standard phishing may have declined, but spear phishing attacks are more common. 88% of organizations said they faced spear phishing attacks in 2019 and 86% said they faced business email compromise (BEC) attacks.

Phishing attacks are most commonly conducted via email, but phishing via SMS messages (Smishing), social media sites, and voice phishing over the telephone (vishing) are also commonplace. 86% of respondents said they experienced a social media phishing attack in the past 12 months, 84% experienced a smishing attack, and 83% experienced a voice phishing attack.

Source: Proofpoint State of the Phish Report, 2020.

Proofpoint’s report indicates there has been a decline in ransomware attacks since 2017, but IT professionals reported an increase in ransomware infections via phishing emails. This is due to the rise in popularity of ransomware-as-a-service, which allows individuals without the skills to develop their own ransomware variants to conduct attacks using ransomware developed by others.

When a ransomware attack is suffered, paying the ransom does not guarantee recovery of encrypted data. Only 69% of companies that paid the ransom regained access to their data after the first payment. 7% were issued with further demands which they refused to pay, resulting in data loss. 2% paid those extra demands and regained access to their files, and 22% said they did not recover data encrypted in the attacks.

Layered defenses are essential for combatting the threat from phishing, malware, and ransomware, but Proofpoint points out that technical defenses only go so far. What is also required is regular security awareness training for the workforce.

“We recommend taking a people-centric approach to cybersecurity by blending organization-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognize and report attacks,” said Joe Ferrara, senior vice president and general manager of security awareness training for Proofpoint.

95% of surveyed organizations said they provide security awareness training to the workforce and 94% of those that do provide training more frequently than once a year. The figures are good, but there is still considerable room for improvement. Only 60% of companies that provide training do so through formal cybersecurity education and 30% said they only provide training to a portion of their user base.

Training certainly appears to be having a positive effect, as there was a 67% increase in reported phishing emails in 2019 compared to 2018, so employees are taking training on board, are getting better at identifying threats, and are taking the correct action – reporting suspicious emails to their security teams.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.