Phishing attacks: staff shortages leading to longer remediation times

More than half of IT professionals surveyed by software solutions provider Ivanti said their organisation has suffered from staff shortages, with 64% confirming under-resourcing is leading to longer phishing remediation times.

“With fewer members of staff, the ability to mitigate security issues speedily has been vastly reduced. Any downtime caused by a security incident costs an organisation money and damages productivity. Furthermore, 46% cited increased phishing attacks as a direct result of staff shortages,” said Ivanti in a statement.

The findings are from Ivanti’s recent survey of over 1000 enterprise IT professionals across Australia, Japan, the US, UK, France and Germany.

The global shift to remote work has exacerbated the onslaught, sophistication, and impact of phishing attacks, with 80% of respondents saying they have witnessed an increase in volume of phishing attempts and 85% said those attempts are getting more sophisticated.

In fact, 73% of respondents said that their IT staff had been targeted by phishing attempts, and 47% of those attempts were successful. Smishing and vishing scams are the latest variants to gain traction and target mobile users. 

According to recent research by Aberdeen, attackers have a higher success rate on mobile endpoints than on servers – a pattern that is trending dramatically worse. Meanwhile, the annualised risk of a data breach resulting from mobile phishing attacks has a median value of about $1.7m, and a long tail of value of about $90m.

More than 35% of respondents cited a lack of both technology and employee understanding as the main causes for successful phishing attacks, but 34% blamed successful attacks on a lack of employee understanding.

While 96% of IT professionals reported that their organisation offers cybersecurity training to teach employees about common attacks like phishing and ransomware, only 30% of respondents said that 80–90% of employees had completed the training. 

“Reducing the risk of phishing attacks is a race against time, in more than one dimension. Enterprise IT pros must stay ahead not only of the attackers who are constantly crafting new attacks, but also of their own users — who are shockingly quick to click on malicious links,” said Derek E Brink, Vice President and research fellow at Aberdeen Strategy & Research.

“While many organisations have been making investments in security awareness training initiatives, they should also be prioritising and applying advanced automation, artificial intelligence, and machine learning technologies to more quickly and consistently identify, verify, and remediate phishing threats.”

Chris Goettl, Senior Director of Product Management at Ivanti, said, “To effectively combat phishing attacks, organisations need to implement a zero-trust security strategy that incorporates unified endpoint management with on-device threat detection and anti-phishing capabilities. Organisations should also consider getting rid of passwords by leveraging mobile device authentication with biometric-based access to eliminate the primary point of compromise in phishing attacks.”

Image credit: ©stock.adobe.com/au/stefanovska