The latest data from CSO’s 2018 U.S. State of Cybercrime report highlights the risk users create, and how little organizations are doing to address it.
This year’s report covers a wide range of topics, providing a relatively comprehensive view on the state of both cyberattacks, organizational preparedness, and incident response. I’ve pulled out a number of stats that help to demonstrate the role users play in increasing risk to the organization, what organizations are doing about it, and how they can further make an impact on stopping cyberattacks.
Who’s experiencing attacks (and how bad are they)?
A majority of organizations (59%) have experienced at least one targeted attack during the past 12 months. And targeted attacks are costly: 40% of security event-related financial loss in the same past 12 months was caused by targeted attacks. This massive financial loss is likely due to the fact that over a third of organizations (35%) indicated it takes longer than a month to identify intrusions on their network, giving attackers the time they need to wreak havoc on your data.
What kinds of attacks?
The CSO data confirms what we’re already seeing across the industry:
- 28% of organizations experienced viruses, worms or other malicious malware on-prem, 9% in the cloud
- 28% of organizations experienced phishing attacks on-prem, 16% in the cloud
What’s missing from this survey is the inclusion of cryptojacking, which has overtaken ransomware as the dominant attack vector in many industries.
Who’s falling for attacks?
Users. That’s who. 42% of organizations cited the “innocent employee” who unwittingly falls victim to a phishing or hacker scam, or whose credentials were otherwise comprised as the greatest threat.
What are organizations doing about it?
A supermajority (95%) of organizations are using some form of Security Awareness Training at least annually. But, according to the survey, only 15% of organizations are creating a security culture with continual training and phishing testing.
Is Security Awareness Training working?
According to CSO, it’s a resounding yes. Nearly two-thirds of organizations (66%) say that the use of security awareness training has had a significant/reasonable impact on reducing the number of successful phishing attacks at their organization.
Just think of how much more impactful it would be if these same organizations used continual training and testing to help establish an ever-present security mindset.
With users posing a significant risk, and organizations thinking they’re doing all they can to make a positive impact, it’s time to learn from the data: more Security Awareness Training will have that much more an impact in stopping the “innocent user syndrome” that plagues organizations today.