Even though the vast majority of UK organisations shifted to fully remote working over the course of 2020, barely a third of them offered their users any specific training on how to work from home safely and securely, according to the recently published 2021 edition of Proofpoint’s annual State of the phish report.
This year’s report is based on analysis of a survey of 600 security professionals in the UK, Australia, France, Germany, Japan, Spain and the US, as well as a third-party study of 3,500 working adults in the same country, data gleaned from 60 million simulated phishing attacks Proofpoint sent to its customers, and 15 million user-reported incidents.
“The findings related to remote working situations in the UK are eye-opening,” said Adenike Cosgrove, Proofpoint cyber security strategist, international.
“Nearly all the UK infosec professionals we surveyed said they supported a new, remote working model for at least half of their organisation’s workers last year. And yet just over a third of these respondents said workers were trained about security practices related to working from home.
“At the same time, more than half of UK workers say they allow their friends and family to access work-issued devices to do things like shop online and play games. These gaps represent a significant risk and reinforce the need for security awareness training initiatives that are tailored to the remote workforce.”
Alongside the notable failure to provide adequate security training, the UK data shows a tendency among British organisations to operate a consequence model, meaning there are real-world consequences for users who repeatedly breach their employers’ security by falling for real or simulated phishing attacks.
Proofpoint said 60% of UK organisations use such a model, with the consequences ranging from “counselling” from the security team (63%), impact to performance reviews (48%), disciplinary action (40%) and even termination (27%).
The data also reveals that 68% of UK respondents believe the consequence model has led to an improvement in employee awareness, but this was the lowest vote of confidence that this approach really works across all the countries studied – the global average was 82%.
The UK data further indicated that 44% of infosec survey respondents said they had both experienced a ransomware attack and paid the ransom, against a global average of 34%. Out of those who took the ill-advised decision to pay up, 59% regained access to their data or systems after the first payment, but 39%, having emboldened their attackers, received additional ransom demands.
Unsurprisingly given the relentless work ethic of the cyber criminal community during the pandemic, the wider survey highlights the huge increase in cyber attacks in the past 11 months or so, with over 75% of security professionals saying they had faced broad-based phishing attacks, 57% successful ones. Ransomware attacks were also up.
In terms of training, 80% of global respondents indicated that undergoing security awareness training had reduced phishing susceptibility, this said, while 98% of security pros surveyed said they had an awareness training programme, only 64% offered formal training to users.
“Threat actors worldwide are continuing to target people with agile, relevant, and sophisticated communications, most notably through the email channel, which remains the top threat vector,” said Alan LeFort, senior vice-president and general manager of Security Awareness Training for Proofpoint.
“Ensuring users understand how to spot and report attempted cyber attacks is undeniably business-critical, especially as users continue to work remotely – often in a less secured environment. While many organisations say they are delivering security awareness training to their employees, our data shows most are not doing enough,” he said.