VentureBeat presents: AI Unleashed - An exclusive executive event for enterprise data leaders. Network and learn with industry peers. Learn More
Phishing attacks are on the rise and getting more sophisticated, with embattled IT professionals reporting their organizations are more vulnerable than ever, according to a survey Ivanti released this week.
Survey respondents said the global shift to remote work was a major factor in the increased attacks. Ivanti, a Salt Lake City, Utah-based IT asset monitoring, management, and security platform provider, polled more than 1,000 enterprise IT professionals in the U.S., U.K., France, Germany, Australia, and Japan in the survey conducted by Aberdeen Strategy & Research.
Eighty percent of those polled said they had seen an increase in the number of phishing attempts targeting their organizations, and 74% said their organizations had “fallen victim to a phishing attack in the last year.” Nearly three-quarters of respondents said that IT staff themselves were the targets of phishing attempts and 47% of those staffers succumbed to the phish, Ivanti said.
Those attacks are not letting up — 40% of respondents to the Ivanti survey said they had experienced a phishing attack in the past month.
Event
AI Unleashed
An exclusive invite-only evening of insights and networking, designed for senior enterprise executives overseeing data stacks and strategies.
In addition to increased exposure to phishing attacks due to the rise in remote work, staffer fatigue and talent shortages have hindered IT departments, Ivanti security VP Daniel Spicer told VentureBeat.
“The attacks are also getting more sophisticated,” Spicer said. “That’s due in part to the fact that even prior to the pandemic, threat actors had targeted and were collecting entire [email] inboxes to gain a treasure trove from which to craft better, more convincing phishing emails with which to infect victims with ransomware.”
Phishing attacks seek mobile endpoints
Phishing attacks are more successful when targeting mobile endpoints instead of servers, according to the Aberdeen research. That’s made mobile data breaches more pervasive and ultimately more costly. Spicer said such breaches cost companies “a median value of about $1.7 million and a long-tail value of about $90 million.”
The bad news is that older methods of defending against phishing and ransomware aren’t as effective in the face of more targeted, sophisticated attacks, Spicer said. For example, training employees to better avoid phishing scams has had diminishing returns.
“A lot of the traditional stuff we use against phishing isn’t working as well these days,” Spicer said. “User training is not as effective against sophisticated phishing attacks. For example, hovering over a link before clicking isn’t working as well because the bad actors are better at masking bad links.”
What’s more, although training people can still be helpful, overworked IT staffers have been falling behind in such educational efforts, according to the Ivanti survey. Ninety-six percent of respondents said their organizations have programs to teach employees to avoid phishing and ransomware. But only 30% said that 80% to 90% of their employees had completed the training.
Spicer also pointed to the arms race between phishers and cybersecurity professionals, saying it’s difficult for the latter to gain a lasting advantage.
“In terms of technology, we can use machine-learning models to better detect phishing. But the threat actors have those same tools, and they also can leverage large amounts of data from inbox theft to craft better phishing emails,” he said.
So what does work against the bad actors? Spicer said organizations are increasingly turning to zero-trust security frameworks, where users of organizational IT assets are required to constantly and repeatedly verify their credentials to access networks, apps, and data.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.