PAV study highlights phishing threat to SMEs
A recent study carried out by PAV it Services in conjunction with one of the UK’s leading insurers highlighted the vulnerability of staff working at Small and Medium Sized Businesses (SMBs) when faced with phishing emails. This is despite cyber attacks having a higher public profile since the WannaCry Ransomware that crippled the NHS and many other organisations in May.
Sussex-based PAV, which was recently selected as a founding technology partner of the government-backed London Digital Security Centre, tested over 350 executives and employees at 11 businesses based in London and the South East. PAV sent them a number of phishing emails, often based on their office location or business area, in order to understand how staff would react if a malicious email slipped through their IT defences. The findings highlight the need for company owners to take rapid action to improve their cyber security.
Key findings:
· Although only 42% of staff opened the emails, the majority of them (71%) were then deceived into clicking on links that took them to an external website, which could lead to a potential security breach. They were then asked to download a file or enter login details and these actions were carried out by 21% of people taking part in the tests. This is a more serious failure as it would most likely lead to a major security incident.
· An email spoofing (impersonating) a company executive, asking staff to enter login details in order to check password complexity resulted in 14.5% of recipients divulging this information.
· The email that received the highest failure rate was a fake Dropbox link, which varied according the business activity of each company, and often referred to a fictitious sales quote. This email generated a 38% failure rate with 27% of employees clicking on the download button.
· Only one of the eleven companies passed the test with no employees clicking on links.
· Seven out of the eleven companies tested had incorrectly configured ‘anti-spoofing’ settings.
Combined statistics for all emails sent
PAV Managing Director Jason Fry commented: “These simulations have highlighted that businesses are highly vulnerable to phishing attacks. Government research shows that just under half (46%) of all UK businesses identified at least one cyber security breach or attack in the last 12 months. As the majority of these attacks originate with a phishing email, this is obviously a huge problem area that needs to be addressed.”
Jason strongly advises business managers to ascertain what level of risk is acceptable to them and to be proactive.
“Once companies realise and accept that they are exposed to cyber crime, there are several simple and relatively inexpensive steps that they can take to remove themselves from the category of low hanging fruit, offering easy pickings to cyber criminals,” he explains. “We tell our clients that they need to view cyber security as a journey because it is unlikely that they can achieve all their goals straight away.”
Some simple steps to become more resilient
PAV recommends SMEs to take the following cost-effective measures to become more secure:
· Start with a cyber security audit to provide a roadmap of the appropriate policies and procedures that need to be put in place. This assessment helps companies avoid falling into the trap of buying expensive software that may not be the answer to their security needs. PAV recommends that a suitably security-skilled professional carry out this audit, which might mean looking to a third party provider.
· Carry out awareness training on a continuous basis so that cyber security stays in the consciousness of all employees and creates a company culture based on alertness and vigilance towards potential threats. This is best run in tandem with regular phishing simulations.
Jason concludes: “The good news is that it is often not too difficult or expensive for companies to take the measures required to become significantly more secure. The challenge is making them aware of the problem before they become victims of cyber crime.”
