Cyber security remains a top priority for businesses across all industries worldwide, but deciding which areas to prioritize and how to enforce compliance can still be challenging.
Every company has actions it can take to strengthen its defenses, including providing its IT teams with the right tools for the job and training staff to remain vigilant when it comes to cyber threats. Companies also need to maintain oversight of the overall threat landscape, as knowing how attackers leverage zero-day vulnerabilities and novel attacks can be invaluable to forming the best security strategy.
With the nature and popularity of different attack methods constantly changing, recent data shows many firms are unprepared for coming threats. Proofpoint’s 2024 State of the Phish: Europe and the Middle East report took in responses from 7,500 end users and 1,050 security professionals across 15 countries including the United Kingdom, France, Germany, the UAE, and Sweden.
Globally, 71% of respondents admitted to not following basic cyber hygiene, taking risks such as reusing their password or accessing inappropriate websites. Even more concerningly, almost all of these (96%) said they knew what they did was risky when they did it. Respondents from Europe and the Middle East were even more likely to admit to this kind of behavior, with a total of 76% admitting to having taken cyber security risks at work.
The most-common risky activities users admitted to included using their work device for personal tasks, reusing and sharing passwords, and responding to SMS or email messages from unknown contacts. The underlying motivation for this isn’t malice, but perhaps a misplaced desire to get things done. For example, 41% said they took actions they knew to be risky to save time or because the riskiest methods were also the most convenient in the moment (39%).
Novel attacks create new risks
The report also highlights some emerging threats that both users and security teams may be less aware of and are therefore harder to defend against, such as telephone-oriented attack delivery (TOAD) attacks. This type of social engineering attack typically sees attackers pose as technical or financial helplines at a legitimate firm and give users directions to first call a listed number then to click on links that let them seize sensitive credentials or provide steps by which victims install malware on their own device. Across Europe and the Middle East, 70% of organizations experienced TOAD attacks in 2023, above the global average of 67%.
AI tools such as ChatGPT can also be used to generate convincing text for malicious emails or phishing campaigns on any platform. While it can be hard to determine if generative AI was used in any given business email compromise (BEC) campaign, research indicates that attackers are making use of the technology to massively expedite attacks on businesses.
Proofpoint draws a link between the rise of BEC attacks in countries where English is not the dominant language, in contrast to the global downward trend in BEC attacks, with the use of generative AI tools. Some of the most popular generative AI tools, such as ChatGPT, can respond in a wide range of languages, which could enable threat groups to target businesses in a range of territories that they had never previously considered due to a language barrier.
The diverging trends between English-speaking and non-English speaking targets could also indicate that users who do not speak English as their first language are less likely to notice discrepancies in seemingly-legitimate emails written in English.
Fighting these newfound threats will require greater transparency and communication between security teams and other staff within their organization, alongside better commitment to staff cyber security training by leaders.
Training and user experience as a first line of defense
The majority (88%) of users surveyed by Proofpoint stated that more training would help them to prioritize security in their day-to-day role, closely behind making security easier to follow (94%).
Data indicates that at present, leaders have fallen behind when it comes to training. For example, despite the risk posed by TOAD attacks and generative AI phishing just 20% of surveyed organizations conduct social engineering training – down from 23% in 2022. In Germany, where 78% of respondent businesses were hit with TOAD attacks in 2023, just 21% trained specifically on this attack method.
If employees do not have a good understanding of their own role in cyber security, a businesses’ workforce will become its own weakest link. Although 85% of surveyed cyber security professionals said employees know they have a part to play when it comes to security, over half (59%) of all user respondents claimed they’re not responsible for security or weren’t sure when prompted. Only more rigorous employee training and an alignment in attitudes around accountability can break this pattern.
Cyber security teams may also be over reliant on measures such as multi-factor authentication (MFA). Although MFA provides an extra layer of security even if a victim’s password is stolen or cracked, recent years have seen staff at many firms become increasingly irritated by the reach of MFA throughout their working day and attackers have exploited these emotions for their benefit.
In MFA fatigue attacks, hackers use password-stealing methods to attempt login attempts and automate the process to bombard victims with push notifications in the hope that they will eventually tap ‘accept’ out of confusion or irritation.
Attack patterns being used against businesses right now can also circumvent MFA. Proofpoint measured more than a million attacks per month throughout 2023 that used EvilProxy, a framework that connects a target to a legitimate login page to intercept legitimate credentials and bypass MFA. Despite these figures, the majority (89%) of security professionals surveyed still believe MFA is completely effective at preventing attackers from seizing employee accounts.
To combat the most advanced threats, businesses should start with ensuring staff know the basics. Breaking out of this mindset and teaching staff about these key weaknesses is paramount if security teams want to address all threats, from the rudimentary to the highly-sophisticated
Find out more
Learn more about Proofpoint’s Europe and the Middle East findings in its upcoming webinar 14 Types of Phish and How to Defend Against Them. Information on how to register can be found here.
