Boardroom does not see ransomware as a priority

Only 23% of company directors consider ransomware to be a top cyber security priority, even though a slim majority (59%) of organisations have at some point fallen victim to a ransomware incident, according to a new Egress study.

The report, 2022 fighting phishing: the IT leader’s view, is the latest in a long line of reports that appears to highlight clear and concerning communication failures between security leaders and company leaders.

With phishing and ransomware attacks still making headlines and becoming more impactful and sophisticated, Egress said its study confirmed that there was indeed a disconnect around the prioritisation of security at board level of in the face of the “perfect storm” cliché.

It urged boards to elevate phishing and ransomware, alongside discussions around staff training and preventative technology, in their conversations with IT and security teams.

“Cyber criminals are continuing to leverage sophisticated social engineering attempts to catch users at a weak moment and gain access to the sensitive data they’re seeking,” said Jack Chapman, Egress VP of threat research.

“The results of this study show that cyber security training is limited in its effectiveness and it’s a big ask for people within an organisation to be constantly vigilant to phishing threats.

“It is imperative that organisational leadership, including the board of directors, focus on what is needed to provide the most effective cyber security protection for that organisation. That includes evaluating overall spend and what is in the security stack, looking to intelligent technology to tackle sophisticated phishing attacks.”

Alongside the headline statistics, Egress also found that 70% of IT leaders would refuse a ransomware demand, while, in common with data recently compiled by Trellix, a new cyber company formed out of McAfee and FireEye, financial services firms are the most highly targeted by ransomware gangs. Egress reported that as many as 70% of financial services firms had experienced a ransomware attack in 2021, with the average payout standing at about $91,000 (£68,000/€82,000).

Turning to phishing, Egress’ study reported that 98% of organisations now deliver anti-phishing training to their teams. However, half allocate less than a quarter of their security budget to actual anti-phishing measures.

This was despite the fact that 84% of organisations have been hit by attacks that originated with a phishing email, and 66% specifically by business email compromise (BEC), an exploit in which attackers successfully compromise a C-suite target email and use it to trick another employee into sending them money.