- As employers continue pushing for hybrid work, more than one-quarter of employees in a recent survey by email security firm Tessian said they fell for a phishing attack in the past year, and an even greater number said they sent an email to the wrong person.
- The survey of 1,000 U.S. professionals and 1,000 U.K. professionals found that respondents also were more likely to fall for advanced phishing attacks than they were in 2020, according to Tessian. For instance, 52% said they fell for attacks because an attacker impersonated a senior executive, up from 41% in 2020.
- The share of employees who did not report their mistakes to information technology departments also increased to 21% in 2021 from 16% in 2020. The trend indicates employees may be fearful of reporting mistakes given harsher consequences, Tessian said, but it also may mean security teams have less visibility of threats.
Cybersecurity incidents are not only growing more prevalent. They are also becoming more costly. Research this year from Palo Alto Networks found that the average ransomware payment increased by 78% in 2021 to a dollar amount of more than $500,000, CFO Dive reported.
Phishing attacks were one of the top three forms of internet crime reported by victims in the Federal Bureau of Investigation's 2020 Internet Crime Report. The agency found 241,342 complaints about phishing scams involving adjusted losses of over $54 million. The FBI encouraged users to protect themselves through "extreme caution in online communication" and by verifying email senders, particularly because criminals may change only one letter in an email address to make it seem familiar to a potential victim.
Tessian is not the first voice in the cybersecurity space to warn employers against creating security cultures that discourage employees from reporting incidents. Rather than emphasizing "fight or flight responses" in cyber training, sources who previously spoke to HR Dive recommended that training be informed by a psychologically safe approach.
Aside from training, HR can meet with security teams, IT teams and other stakeholders to ensure their organization has back ups in place that ensure continuity. In the event that employee data is compromised, experts may recommend working with auditing services or forensics professionals.
The past few months have shown that vulnerabilities can exist within an organization's external functions, as well. When a ransomware attack struck timekeeping and payroll provider UKG last December, organizations scrambled to put back ups in place and continue critical processes. Attacks against vendors, HR-related or otherwise, have led to broader vulnerability concerns.