Why Organisations Need to See Phishing as an Insider Risk

Published on

This article was written by Jack Chapman, VP of Threat Intelligence at Egress

Phishing is everywhere right now, and IT leaders know it’s a major threat to their organisation. Findings from the 2021 Egress Insider Data Breach Survey show 73% of organisations have suffered a serious data breach as the direct result of a phishing attack in the last 12 months. However, some IT leaders are still surprised to learn that at Egress we class phishing firmly as an insider risk, even though the attacks originate externally. This doesn’t mean we need to view our employees as bad people – in fact, we believe the key to stopping phishing is to empower employees with the right technology to defend themselves.

What phishing is doing to employee trust and why it is an insider risk

It’s tempting to class phishing as an external threat, as attacks do originate from outside your organisation. However, without an (almost always accidental) action from an insider, a phishing attack won’t come to fruition. Cybercriminals know this, so they carefully craft phishing emails to press on our psychological triggers.

Phishing emails are designed to be urgent requests that require confidentiality – often at the request of an authority figure. The sender wants an insider to act quickly and impulsively, rather than analysing the request with slow, rational thought. They know just the right buttons to press in order to make an insider react and take the bait.

The problem for organisations is that they need their employees to make the right decision every time, whereas the cybercriminals just need one person to make a mistake once. Egress survey data shows that 55% of employees said they’d received a phishing email in the past 12 months, and 27% said that they’d received an email from someone pretending to be a senior employee. And that’s just the ones they’ve been able to self-identify.

From a criminal’s perspective, it’s well worth the effort. Phishing is relatively easy compared to hacking into an IT system, and the rewards can be highly lucrative. Unfortunately for businesses, the stakes of falling for a phishing scam have also never been higher.

How big of a problem is phishing?

In the past, phishing emails were often sent in bulk to mass email lists. These could be stopped pretty effectively by traditional technology such as secure email gateways (SEGs). However, criminals don’t stand still. We’re seeing more and more cases of business email compromise, such as account takeovers and C-suite impersonation. These attacks are well-researched, highly-targeted, and often successful.
If private data under your protection is stolen and sold, you run the risk of severe financial penalties from regulators. Not only that, but clients are increasingly conscious of data security within their supply chains. The bad reputation that follows a data breach is often devastating. This may seem harsh if it all comes from a single accidental click, but that’s the data security climate we live in.

Data breaches aren’t the only things keeping IT leaders up at night. Ransomware is a huge and growing problem that proves how rapidly a new threat can take hold. You only need to check the news from the past few months to see major ransomware attacks taking place across the world. It’s a low-cost, high-reward strategy for criminals that’s only going to get worse.

Cybercriminals can get hold of ransomware with frightening ease, and they require little-to-no technical knowledge to use it. Just an email. We’re seeing a huge rise in ‘crime-as-a-service’ where criminal gangs market and sell both knowledge and malicious software on the dark market, and over 90% of it is delivered into organisations via email phishing.

What do organisations need to do now?

While phishing is an insider risk, it’s not so simple as blaming employees for successful attacks. However, there’s still usually a price to pay for the unfortunate employee who clicked on the phishing link. In 23% of organisations, the employee who fell for the scam ends up leaving their job (either through being fired or leaving voluntarily).

43% of IT leaders pointed to ‘not following security protocols’ as the number one way an employee would fall victim to a phishing attack, while 36% blamed employees ‘rushing and making mistakes.’ However, is too much responsibility for stopping phishing being put at the feet of employees? At Egress, we believe businesses can (and should) be doing more to equip employees with the technology they need to stay safe.

Phishing isn’t going away. In fact, 50% of IT leaders expect remote working to make it harder to prevent phishing incidents in the future. So what can we do? Phishing is ultimately a human problem, but you can use technology to even up the odds. These attacks target the human layer, so we need to use technology that targets the human layer too, turning your employees into your defence, rather than a weak point to attack.

Organisations must look to intelligent anti-phishing solutions that use machine learning and natural language processing capabilities to catch the more sophisticated phishing attacks that will slip through your SEGs. The best solutions also have an educational component to them. Thus, instead of simply blocking a phishing email, it will also help employees to understand the context of why it has been flagged as an attack – leaving them better prepared and protected for next time.

Liked this video? Subscribe to the YouTube Channel for more educational content in enterprise technology.

Join 34,209 IT professionals who already have a head start

Network with the biggest names in IT and gain instant access to all of our exclusive content for free.

Get Started Now