HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PhishMe Report Shows Organizations Are Struggling to Prevent Phishing Attacks

Organizations are struggling to prevent phishing attacks, according to a recently published survey by PhishMe (now Cofense).

The survey, conducted on 200 IT executives from a wide range of industries, revealed 90% of IT executives are most concerned about email-related threats, which is not surprising given the frequency and sophisticated nature of attacks. When attacks do occur, many organizations struggle to identify phishing emails promptly and are hampered by an inefficient phishing response.

When asked about how good their organization’s phishing response is, 43% of respondents rated it between totally ineffective and mediocre. Two thirds of respondents said they have had to deal with a security incident resulting from a deceptive email.

The survey highlighted several areas where organizations are struggling to prevent phishing attacks and respond quickly when phishing emails make it past their defenses.

PhishMe also notes that many first line IT support staff have not received insufficient training or lack the skills to identify phishing emails. Consequently, many fail to escalate threats or block access to malicious links through the firewall or web filter.

The biggest challenge was too many threats and too few responders, according to 50% of respondents. Approximately one third of respondents said they have to deal with more than 500 suspicious emails a week. 21% said they have more than 1,000 emails reported as suspicious each week.

Dealing with those emails and finding the real threats among the spam takes a considerable amount of time. When asked how the phishing response could be improved, number one on the wish list was a solution that could automatically analyze phishing emails to sort the real threats from spam.

Due to time pressures and a lack of human resources, potential phishing attacks are often not dealt with rapidly. Many organizations have an inefficient and ineffective phishing response which makes rapid mitigation difficult.

Part of the problem is how suspicious emails are reported. 55% of organizations have potentially suspicious emails routed to the helpdesk and do not have a dedicated inbox for phishing emails. Mixing reports of potential phishing attacks with other IT issues increases the probability of serious threats being overlooked and invariably leads to delays in implementing the phishing response.

The survey showed companies are heavily reliant on technology to prevent phishing attacks, although most have correctly chosen to implement layered defenses. That said, 42% of respondents said multiple layers of security solutions was a problem when managing phishing attempts.

The most common defense against phishing attacks is email gateway filtering, although 15% of organizations still do not use email filtering technology and 20% do not use an anti-malware solution. There are also clear gaps in employee training. 34% of organizations do not provide computer-based training for employees to improve awareness of phishing and teach employees how to identify phishing emails.

Technology can only go so far. Email gateway solutions are effective at blocking phishing threats, although they are not 100% effective. Malicious emails will make it past email filters so it is essential that staff are trained to identify threats.

PhishMe accepts there are limits to training. “Are all employees going to “get it?” every time? Probably not. But they don’t have to if the rest of the organization is ready to recognize and report suspicious emails. It only takes one to report it so the incident response team can substantially reduce the impact of phishing attacks.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.