While cyber security executives and business decision makers are grappling with the question of whether phishing emails or ransomware attacks are the most potent threats faced by their organisations, the real question is whether businesses are equipped to implement all-round risk mitigation strategies to prevent or to respond to all kinds of emerging threats.
Earlier this week, a survey of 600 business decision makers across the UK, US, Germany, and Australia by security firm Clearswift revealed how such decision-makers viewed and ranked various forms of cyber-threats that could impact their businesses. A majority (59 percent) of such decision makers said that they viewed phishing emails as the biggest cyber- threat to their businesses, thereby signifying the scale of impact a single malicious email can have on a business.
Even though such decision makers did not comment about the threat posed by ransomware attacks or DDoS attacks, a third of them listed the lax attitude of their employees as the biggest threat, while another 31 percent of them highlighting USBs as a major threat as such devices can easily be infected with malicious code.
In contrast, a survey of 250 information security experts (CIOs, CISOs and CSOs) by Bitdefender revealed that 44 percent of them viewed the cyber-behaviour of their C-Suite colleagues as the biggest threat to their businesses, with 75 percent of them sure of the fact that those representing their management were the most likely to flaunt data security rules.
While 38 percent of information security experts in this second survey ranked ransomware attacks and DDoS attacks as the biggest threats faced by their organisations, only 11 percent of them considered phishing attacks as the biggest threat. When asked to rank departments that were most likely to suffer a data breach, 23 percent of such experts chose Finance, 17 percent chose Sales, and another 14 percent chose HR, thereby flagging three departments that handle large amounts of sensitive information.
Responding to the apparent difference of opinion between decision makers and information security experts in terms of ranking the biggest cyber-threats to their organisations, Stephen Burke, founder & CEO at Cyber Risk Aware told SC Magazine UK that this was really about addressing the cause and effect of attacks rather than prioritising one over the other.
He said that even though hackers are using insecure RDP access points to deploy ransomware, the vast majority of ransomware attacks continue to originate from phishing emails. So the conversation is really about the delivery mechanism and the end result, both of which are major threats.
However, he said that the bigger issue is that "organisations are focussing on keeping up to date with the latest cyber-defence technology rather than on the target for phishing attacks: the employees themselves".
"In many organisations end user awareness is a security weak spot which is why it's vital to educate all employees on how to spot and report, on phishing emails to prevent an attack in the first place. This is increasingly important as cyber-criminals have fully commercialised their offering and are able to bypass email security gateways to target individual users. Building a ‘human firewall' – in which the employees can flag phishing emails - is an important part of a multi-layered security strategy," he added.
According to Adam Brown, manager, security solutions at Synopsys, a wise approach to security is to consider security as a whole instead of rating various threats in terms of importance. Measurement and metrics will allow an organisation to understand their capability and where to make improvements.
"In a way both sets of research are agreeing with one another. They also show a potential misinterpretation of the problem by some C-suite executives who rate ransomware over phishing. Several studies have shown that over 90 percent of phishing emails are designed to deliver ransomware," said Stephen Giguere, EMEA engineer at Synopsys to SC Magazine UK.
"You might consider that ransomware is the symptom and in fact phishing is the problem, but it would be advised to address both. While the perceptions aren't surprising as both ransomware and DDoS are media favourites, perception should not be the foundation of a cyber-security initiative," he added.