The US and UK share a lot of things. History. Political traditions. A language, if one is feeling generous. And now some worrisome phishing data that jumps out of two reports PhishMe® has commissioned, most recently in the UK.
Both our UK and US reports look at phishing response trends. Here’s the story: companies on each side of the pond cite phishing as their #1 security worry—but nearly half say they aren’t ready to handle an attack.
Somewhere, Winston Churchill and FDR are rolling over. Compare the two reports and you’ll glean the following insights:
- About ½ of companies can’t handle a big hairy threat they clearly see.
In the UK, 48% rate their phishing response from mediocre to “totally ineffective.” In the US, that number is slightly lower, at 43%.
Yet, 70% of UK companies say they’re more concerned about phishing than any other security problem, and 90% of American companies lose the most sleep about phishing and other email threats.
There’s a nightmare of a gap between “This is bad” and “Hey, we’re ready.”
- 2/3 in both countries have dealt with e-mail related security incidents.
This statistic is especially telling. In both reports, a (slight) majority of businesses express confidence they’re prepared for a phishing attack. Yet in the UK and US, the same percentage, 66%, have been forced to put out fires started by phishing emails.
These emails are getting through in droves, both at companies that think they’re well prepared and those that know they’re not. What gives? The next set of numbers may shed light.
- Too many threats + slow response = major exposure.
64% of UK companies say they still report phishes manually. That is, people send them to an inbox where the emails tend to pile up.
In the US, only 26% of companies even have a dedicated phishing inbox. Often, the helpdesk is the unlucky recipient of emails flagged as “might be” phishes.
Worth remembering some of those emails aren’t opened, but plenty of them are. So, whether it’s manual reporting or lack of a central repository, the real problem for too many businesses is slow, inefficient response.
In their own report on cyberattacks, Mandiant notes that the median time from compromise to discovery is 99 days. During that time how many phishes are delivering malware and wreaking havoc?
- Most plan to upgrade their phishing defenses within the next year.
Okay, some good news. Eight in ten US companies plan anti-phishing upgrades over the next 12 months. In the UK, 96% of companies surveyed have anti-phishing investments on tap.
Better late than never, but again, it’s a race against time. According to the reports, many companies see over 500 suspicious emails a week—23% in the UK and 33% in the US.
Also, almost half of UK companies say their top anti-phishing challenge is multiple solutions that aren’t well integrated. Throwing technology at the problem isn’t going to solve it. Besides integrating systems, businesses need trained, vigilant employees to recognize phishing, forming a last line of defense when attacks slip by technology.
- The US and UK both want automation to analyze threats.
If they got their way, 57% of companies in the UK would invest in automated analysis of reported emails. One in three companies would do the same in the US.
Yet what is interesting is the role human beings will continue to play in this security process. Employees (humans) report emails they find suspicious and automated systems examine these reported communications to prioritizes threats. Then, incident responders (more humans) start hunting for malware like the Royal Navy scouting the seas for U-boats.
So, while there’s a real demand for automation to help find real threats faster, the human factor is still essential.
It’s a one-two punch that companies in the UK and US need. And they know it, as PhishMe’s reports make unmistakably clear. It’s good to see some urgency building in these two markets, because a threat ignored is a threat emboldened. Sir Winston could have told you that.
To learn more, read PhishMe’s UK report, “Phishing Response Trends: It’s a Cluster.”
Click here to view the US report.