Attackers have more ways than ever to access an organization’s data. Companies often think they’re on top of things only to learn the hard way.
We developed the External Threat Protection Test to gain a better understanding of the types and severity of phishing threats. We recently conducted an industry survey with dozens of CISOs, looking into companies’ awareness levels. Here are the surprising results.
You Can’t Protect What You Don’t See: Threats Worth Noting
Hackers have different reasons for launching an attack, including financial goals, activist causes, or simply the desire to inflict harm on others. Here are a few phishing channels they use which may go unnoticed by businesses:
- Website phishing: Around 1.5 million new phishing websites are born every month, designed to resemble the real thing as much as possible, with the goal of tricking users into clicking malicious links or submitting personal information, including payment details.
- Executive impersonation: This type of social engineering is meant to deceive employees into believing that they are interacting with one of its executives. Through these interactions cybercriminals may try to get their hands on classified information, or access company databases.
- Whaling attacks: These attacks are on the rise. They target company leaders as these key figures can offer direct access to critical information and assets.
- Social media phishing: As security expert Evan Blair accurately put it, “The global use of social media and the risks it introduces to the enterprise is the most overlooked factor in any information security team’s overall security posture.“ Social media attacks often involve fake profiles and pages leading company employees, vendors, and customers to offer information and click dangerous links.
Risk by Numbers: Our Survey Reveals A Significant Lack of Awareness
We divided the above threats into two categories: websites and social media. Each CISO we surveyed then received two separate scores to reflect their website protection and their social media detection.
Website results:
- Website risks often go unnoticed, with only 36% of participants stating that they regularly monitor fraudulent activity registration, including domains associated with the company, trademarks, typos, IDNs, and more brand name protection areas.
- 32% of participants only monitor content updates in registered domains that include the company name or trademark and fail to check for record changes and new websites.
- 24% have no idea if the company follows suspicious domains with any takedown steps. Only 32% believe that their success rate is above 80%.
- Overall, the average website protection security score is only 52.13%.
Social media results:
- A shocking 56% of respondents state that their organization doesn’t monitor social media platforms or does so occasionally and manually. Companies search brand pages of platforms such as Facebook, LinkedIn, Twitter, and others to find signs of phishing activity.
- Only 12% of companies we surveyed take the broad approach and monitor Facebook extensively. This approach includes handling customer and employee reports, employee training, covering pages, groups, and ads, and more.
- 24% do not monitor Facebook regularly at all, leaving this key area unprotected.
- As for takedown success rates, 32% do not know how high it is, and 44% believe it to be lower than 90%. This means that only 24% consider their company’s takedown success rate higher than 90%.
- 64% of companies fail to monitor executives’ social media activity in any way to prevent whaling attacks and impersonations.
- The average social media protection security score is a rather dismal 41.29%.
These numbers paint a gloomy picture of anti phishing security. While website protection results are better than social media due to cybersecurity teams’ greater familiarity with this area, both arenas remain exposed. Chances are that many CISOs still find upcoming platforms overwhelming and do not know what cybersecurity threats may look like to begin with.
Our study uncovered several harsh truths, namely that not only do many CISOs lack the knowledge of how to detect external threats, but they are not equipped to be able to handle them when they are uncovered. We have discovered an extensive lack of expertise in the arena of anti phishing security. This is partially due to most CISOs having a broad range of responsibilities that leaves them unable to handle every cybersecurity threat. This being the case, social media security and advanced website detection not based on domain names, is unfortunately often not dealt with to the extent that is required. Overall, this demonstrates companies’ dire need for new protection standards on all fronts.
Take our short External Threat Protection Test to learn where you stand and identify your digital blind spots:
