Proofpoint, Inc. has released its seventh annual State of the Phish report, which explores enterprise phishing experiences and provides an in-depth look at user awareness, vulnerability, and resilience. Nearly three-quarters of surveyed infosec professionals in Australia (74%) said their organisations faced broad-based phishing attacks—both successful and unsuccessful—in 2020, and ransomware infections impacted two-thirds of Australian survey respondents.
This year’s State of the Phish report examines global third-party survey responses from more than 600 information security professionals in Australia, the UK, France, Germany, Japan, Spain, and the U.S., and highlights third-party survey findings of 3,500 working adults within those same seven countries. The report also analyses data from more than 60 million simulated phishing attacks sent by Proofpoint customers to their employees over a one-year period, along with approximately 15 million emails reported via the user-activated PhishAlarm reporting button.
“Threat actors are continuing to target people with agile, relevant, and sophisticated communications—most notably through the email channel, which remains the top threat vector in Australia and worldwide,” said Crispin Kerr, ANZ Area Vice President at Proofpoint. “Ensuring users understand how to spot and report attempted cyberattacks is undeniably business-critical, especially as teams continue to work remotely – often in a less secured environment. While many organisations in Australia say they are delivering security awareness training to their employees, our data shows most are not doing enough.”
Proofpoint’s report emphasises the need for a people-centric approach to cybersecurity protections and awareness training that accounts for changing conditions, like those experienced by organisations throughout the pandemic. Survey findings reveal a lack of tailored training. For example, 80% of Australian infosec survey respondents said their workforce shifted to a work-from-home model last year, but only 32% said they trained users on safe remote working. “These findings related to remote working situations are eye-opening,” said Mr Kerr.
“At the same time, 42% of Australian workers say they allow their friends and family to access work-issued devices to check emails, use social media, shop online, play games, and other activities. Although this is an improvement from what our survey showed a year ago — where 51% of Australian workers allowed such activities in their work-issued devices — these ongoing gaps still represent a very significant risk and reinforce the need for security awareness training initiatives that are tailored to the remote workforce,” he added.
Proofpoint’s State of the Phish details actionable advice as well as a deep analysis of the phishing threat landscape to help reduce risk. Key findings include:
Infosec Professionals survey
- More organisations worldwide experienced successful phishing attacks in 2020 vs. 2019 (57% vs. 55%) according to the third-party survey commissioned for the report. In Australia, the increase of cyberattacks was even higher, with 60% of the local survey respondents responding to have experienced a successful phishing attack vs 54% in 2019. In addition, business email compromise (BEC) attacks continue to be a serious concern.
- 67% of the Australian infosec professional respondents reported their organisations were victim of a ransomware infection in 2020 as a result of successful phishing attacks, up from 54% the year before, and well above the global average at 47%. Of those Australian organisations that paid the ransom following an infection, only 50% received their data back after the first payment. An additional 43% got hit with follow-up ransom demands that they agreed to pay, eventually regaining access to their data – a significant increase from the year before, where none of the surveyed organisations in Australia reported this situation.
- 86% of the Australian organisations surveyed indicated that security awareness training has reduced phishing susceptibility – a slightly higher success rate than the 80% of the worldwide organisations that reported this result. But while all the Australia-based infosec professionals surveyed said their organisation has a security awareness training program, only 68% offer formal training sessions to users as part of cybersecurity training initiatives. 26% of Australian organisations rely only on using simulated phishing tests.
- 50% of Australian infosec survey respondents said their organisation punishes employees who regularly fall for phishing attacks (simulated or real), meaning there are consequences (other than additional training) for “repeat offenders”, against a global average of 55%.
- Among Australian organisations that use consequence models, repeat offenders face high levels of punishments, including counselling from the infosec team (76%), disciplinary actions like a written warning enforced by HR (72%) and impact to yearly performance reviews (64%). And 88% said a consequence model led to an improvement in employee awareness.
Working Adults survey
- 42% of Australian workers say they allow their friends and family to access work-issued devices to do things like check emails, use social media, shop online and play games. This is an improvement from what our survey showed a year ago — where 51% of Australian workers allowed such activities in their work-issued devices.
- 59% of Australian workers know they should be suspicious of all unsolicited email, which compares favourably with their global peers (51%). 22% of Australian workers think their organisations will automatically block all dangerous emails.
- When asked to identify the definition of ransomware from a multiple-choice list, 42% of Australian workers answered this question correctly (against a global average of 33%). When asked what phishing was, 66% of Australian workers answered correctly (against a global average of 63%).
- Worldwide, Proofpoint customers’ overall average failure rate on phishing simulations was 11%, down from 12% in 2019. The overall average resilience factor of 1.2, indicating that, in general, these organisations’ users are more likely to report a suspicious email than to interact with it.
Organisations are encouraged to proactively develop people-centric cybersecurity strategies that account not only for shared experiences across regions, industries, and departments, but also the threats that are unique to their missions, goals, and people.
Download the 2020 State of the Phish report.