Nearly half of British companies (43%) have been the victim of a cyberattack in the past three years, with over a third more than once (17%), according to new research from SoSafe. Most British IT security managers agree that the geopolitical situation (79%), hybrid working (76%) and artificial intelligence (68%) have worsened the cyber threat situation.
SoSafe’s 2023 Human Risk Review provides an overview of the current cyber threat landscape and corporate security culture based on responses from over 1,000 IT security managers in Europe, multiple expert interviews and more than 8.4 million data points from the SoSafe awareness platform.
Dr Niklas Hellemann, CEO and founder of SoSafe, said:
“Our society has experienced a multitude of crises and conflicts in the past year. The resulting ongoing uncertainty as well as fear and stress play into the hands of cybercriminals, who exploit this for new social engineering attacks. Cybercrime is now a highly professionalised business model that can invest extensive resources in research and development. Tactics and strategies are adapted every minute to use these new insights for profitable cyberattacks.”
Phishing remains a perennial threat
Eighty-three per cent of the respondents said that they see phishing and the emotional manipulation of people as a security risk. Phishing is also the attack method that affected most of the companies surveyed, at 40%. SoSafe’s data shows that one in three people (31%) click on harmful links or attachments in phishing emails. Subject lines such as “Damaged car” and “Teams invitation” were the most likely to tempt people to open, click or even enter personal information on a further website. Employees seem to be particularly susceptible to social engineering tactics that trigger strong emotions, such as pressure (24%), authority (28%) or financial appeals (18%). According to data from the SoSafe platform, this type of emotional manipulation tends to result in higher click-through rates on phishing emails than previous years (2021: pressure, 24%; authority, 24%; financial appeals, 17%).
Said Dr Hellemann:
“Phishing remains the most used and also most successful attack strategy on the human factor. Every third person still clicks on harmful content in phishing emails. This is mainly because cybercriminals have numerous options for highly personalised phishing attacks that average users are not prepared for – they use personal information from social media, instrumentalise geopolitical events that usually trigger strong emotions or use artificial intelligence to imitate images, videos or voices. And this is the new norm – cybercriminals will constantly develop new, creative attack strategies,”
Only one third of British companies pay their ransom
Other successful attack methods were malware (35%) and ransomware (37%). A total of 38% of British companies have already paid a ransom to cybercriminals. In a European comparison, companies in the UK pay more often than in France (30%) but less than Germany (45%). More ransom payments are made by Dutch neighbours (46%). Supply chain attacks are also seen as a threat by IT security officers - 76% of respondents see supply chain attacks as a security risk. Eighteen per cent of respondents’ organisations have already been the victim of a supply chain attack, and 83% agree that their own security depends on the security standards of their partners.
93% of companies see creating high level security awareness as a priority
Two-thirds of companies surveyed say they have a high level of security awareness with the focus on strengthening security awareness already reflected in the companies’ investment plans - 51% of the companies that have already been attacked estimate that investments in security awareness measures will increase in the next one and a half years. Creating a security culture is a priority for 93% of companies.
Senior management’s focus on IT security has also increased for more than half of companies (51%). Hellman says:
“It is a welcome development that companies are aware that they need to invest in addressing the human factor in IT security – and that this has also reached senior management. However, our actual behavioural data shows that we still have a long way to go – around 31% still click on phishing emails, and 52% even go on to disclose further sensitive data. We see a gap here that we need to fill: while employees understand the importance of cybersecurity better than before, they still need support to internalise secure behaviour in the long term. That is our mission: to strengthen digital self-defence in the long term – and to fight cybercrime together.”
For more information, see the Human Risk Review 2023.