Ivanti study reveals: More and more companies are losing the battle against phishing attacks due to a lack of skilled workers. A solution approach.
by Svenja Koch
IT professionals "phish in the tired". This is the result of a study recently published by the automation platform Ivanti. According to the survey on which the Ivanti study is based, 80% of the IT professionals surveyed report a significant increase in phishing attempts in the past year 2020. An equally worrying 74% of the companies surveyed said they had been the victim of a phishing attack within the last few months. What is most striking about the study is that IT professionals have been the target of phinshing attacks more than any other group within a company. A full 74% of the IT professionals surveyed were targeted by cybercriminals - far more than any other group. The Ivanti study relentlessly reveals that phishing has long been more sophisticated than the well-known "emails from the deceased aunt from Papua New Guinea". 47 % of the IT professionals surveyed admitted that they had already fallen for such a cyber attack. The reasons for the increase in successful phishing attacks: Carelessness, a shortage of skilled workers and overworked IT staff. We show a solution approach to escape the dangerous misery.
Phishing, smishing, vishing - the attacks are becoming more and more sophisticated
Phishing is a neologism of the word "fishing". The artificial word is made up of "password harvesting" and "fishing" - in phishing, bait is set out to fish for passwords. Typical phishing attacks are perfectly imitated websites of trustworthy companies, for example banks. On the fake pages, the visitor is asked to enter his login data or TAN for online banking. However, the data collected in this way does not end up with the bank - but with cyber criminals, who use it to loot the account at their leisure. In order for as many users as possible to fall for such "offers", they are "fished" - in the form of mass or targeted (spear phishing) e-mails. Also popular are the so-called man-in-the-middle attacks. Here, the phishing fraudsters use a malware programme to hack into the communication between the customer and the provider - and thus grab the desired data unnoticed.
The portfolio of fraud attempts is supplemented by smishing, a neologism of SMS and phishing. For smishing, fake text messages are sent, usually with a reference to a package that has been sent. The SMS contains a link that leads directly to malware or a phishing site.
While phishing and smishing use quite impersonal communication channels, vishing goes directly to interpersonal contact. Vishing is the abbreviation for voice phishing - this artificial word can be translated as "telephone fraud". Vishing has become more relevant, especially due to the increased share of home offices in the past year. The victims are caught off guard by a call from a supposed superior - and give out confidential information, personal data and passwords.
Why is phishing so successful - and why is the fight against it so unsuccessful?
The current phishing trend shows that mobile device users are increasingly being targeted. A recent study by Aberdeen shows that cyber attacks on mobile devices are significantly more successful than comparable attacks on servers. Two things are responsible for this success: poor technology and a lack of awareness among employees. Insufficient awareness of potential cyber threats by employees, who are accessing company data remotely more frequently than ever before, is the main reason for successful phishing attacks for 34% of the companies surveyed in the Ivanti study. At the same time, almost all companies, namely a whopping 96%, offer their employees training to provide comprehensive information about phishing attacks, ransomware and the like. Unfortunately, this offer is not widely accepted. Only one third of the companies could confirm that the majority of their employees had taken part in the training.
The shortage of skilled workers intensifies the problem
More than half of the companies surveyed in the Ivanti study suffer from a lack of personnel - especially in the area of IT specialists. A representative survey by Bitkom is even more dramatic: here, seven out of ten companies state a shortage of IT specialists. For the available IT experts in the companies, this means: more work with less time. Successfully carried out cyber attacks are thus detected more slowly, insufficiently combated and at the same time phishing attacks occur more frequently. A real vicious circle is brewing on the horizon of digitalisation. Derek E. Brink, Vice President and Research Fellow at Aberdeen Strategy & Research, brings up a possible solution to the problem. "Reducing the risk of phishing attacks is a race against time, in more ways than one. Enterprise IT professionals need to stay ahead of not only the attackers who are constantly developing new attacks, but also their own users - who are frighteningly quick to click on malicious links," Brink said. "While many companies have invested in security awareness training initiatives, they should also prioritise and apply advanced automation, artificial intelligence and machine learning technologies. This will help identify, verify and remediate phishing threats more quickly and consistently."
Automation, AI and machine learning - Helpful measures, but not available in the short term
Derek E. Brink is undoubtedly right. Cybersecurity that is automated as far as possible, powerful artificial intelligence and IT that independently learns how to deal with new cyber threats and how to combat them are proven measures in the fight against cybercrime - and an alternative to the time-consuming search for IT specialists. However, there is one thing that the measures mentioned are not: available at short notice. A company that decides to automate its cybersecurity today faces a process that can take months or years. Alternatives are therefore in demand - especially those that are available in the short term, without additional expense and, if possible, without additional IT specialists.
Managed IT Security Services: The solution in the fight against the skills shortage?
Managed IT Security Services are a powerful alternative if companies want - or need - to increase their capabilities in the fight against cybercrime in a timely manner. Just because advertised IT security jobs remain unfilled and IT professionals are not available on the market, this does not mean that a company has to do without protection against phishing, ransomware and data theft. Managed IT security services are customised security solutions provided by external service providers. Managed IT Security Services are active around the clock, serve as an additional security layer in the area of cyber defence when hosted externally, and thus relieve the burden on the company's internal specialists.
Active Cyber Defense - A lean, cost-effective and secure solution
Comprehensive, holistic security information and event management, SIEM for short, is considered one of the most secure measures to protect a company against cybercrime. But even for a SIEM, IT specialists are needed - and it is precisely in this area that most IT security jobs currently remain unfilled. Here, however, a managed security service solution is available that is not only efficient, but also extremely lean, cost-effective and secure. With secion's Active Cyber Defense Service, companies receive a proactive solution for attack defence around the clock and 365 days a year. The Managed IT Security Service is not limited to monitoring the networks and identifying and reporting unusual activities. Rather, the IT specialists provide a dedicated SOC team that evaluates the reported anomalies and makes recommendations for action. Another major advantage of this managed IT security service: It is quickly available! While time-consuming configuration and adjustment phases are the rule rather than the exception in SIEM projects, the Active Cyber Defence Service is implemented in just three to seven days - depending on the size of the company.
Managed IT Security Services give your own IT staff more breathing space
In addition to the advantages in terms of cyber security, Managed IT Security Services offer another plus point: they relieve the in-house IT security team of some tasks. As a result, the in-house experts can devote themselves more comprehensively and thoroughly to the tasks that urgently need to be done, especially in the current phishing peak phase - one thinks here of employee training, among other things. Also, less stress usually means more attentiveness - so that perhaps the next phishing links will not be clicked on, but deleted right from the start.
IT security jobs remain unfilled far too often in 2021. The shortage of skilled workers in combination with an increasing overload of existing IT specialists has led to a drastic increase in phishing attacks last year and this year. As the Ivanti study made clear, it is primarily IT experts who are targeted by hackers - and who fall for the cyber attacks. The fact that IT security jobs can only be filled after a long search or not at all does not necessarily mean that companies have lost the battle against phishing and the like - or that they can only fight cyber attacks with half their strength. With Managed IT Security Services, the security gap can be closed quickly, efficiently and cost-effectively. In this way, the urgently needed IT security is maintained and at the same time the company's internal IT security experts are relieved.