EY UK: "We've seen a huge proliferation of very successful phishing attacks"

Phishing_angleBethan Moorcraft at InsuranceBusiness Mag UK wrote an excellent article about the current state of cyber insurance in Europe. Here is an extract with the link to the full article at the bottom:

“In 2018, we saw a huge proliferation of very successful phishing campaigns,” said Ryan Rubin, partner, UK Forensic & Integrity Services team, Ernst & Young. “Unfortunately, cyber criminals are being very effective and are getting through organisations’ defences, despite there being an increasing awareness of cyber risk and a general improvement in security controls. What we’ve seen is that businesses often focus on trying to prevent the sophisticated cyberattacks from happening, and they’re less concerned about basic low-level attacks like phishing and business email compromise.

“From an insurance perspective, I think Europe is still playing catchup compared to the US in terms of the adoption of insurance products and the usage of those as a measure for risk mitigation,” Rubin commented. “I think the insurance market is starting to offer a variety of options that companies can have to manage their risk. However, the cyber insurance isn’t a silver bullet in its own right and may not provide the full cover that organisations need."

“We see organisations of all sizes being targeted and successfully defrauded via phishing campaigns and business email compromise attacks. It’s a combination of social engineering (convincing the recipient that the sender is someone they’re not) and poor cyber hygiene. A lot of organisations have been embracing email solutions in the cloud and as a result of that, some of the nascent weaknesses in security (like password guessing) have helped fraudsters to guess account passwords and start to spoof or pretend to be other members of staff or potentially other suppliers in the supply chain.”

There are relatively simple risk mitigation responses to email compromise and social engineering, according to Rubin. A lot of it ties into basic cyber security hygiene, such as moving away from ordinary username and password authentication to two-factor authentication, particularly schemes that make use of security keys rather than email or SMS communication. This does create a small bit of inconvenience for email users, but it pays off in strengthening an organisation’s email security.

“It also comes down to general awareness,” Rubin told Insurance Business. “What really puzzles me is how any business can accept bank account details and instructions via email, and no matter who it’s sent by, will then allow that transaction to take place. In today’s world, we simply can’t trust emails for sensitive banking transactions, or even to supply personal information to others."

We could not agree more. Together with the proposed measures above, stepping users through new-school security awareness training is a must to keep employees on their toes with security top of mind.

Here is a link to the full article.

Find out how affordable new-school security awareness training is for your organization. Get a quote now.

Get A Quote
Request A Demo


Topics: Phishing

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews