The (lack of) strategy against phishing fraud
Self-inflicted weak spots among UK organisations
Less than a quarter of organizations in the UK have employed a formal cybersecurity strategy – this, accompanied by a general lack of cybersecurity countermeasures amongst businesses and charities, unveils a detrimental issue in light of rising phishing attacks.
This data is sourced from the official sixth Cyber Security Breaches Survey (2022), an annual survey conducted with businesses and charities across the United Kingdom that covers the impacts of cyber attacks and the attitudes towards utilizing cybersecurity measures.
A new query asked by the survey regards whether or not organizations employ a formal cybersecurity strategy, defined as ‘a document that underpins all policies and processes relating to cyber security’ – which can be used to accurately gauge multiple methods for handling potential threats and breaches when the time comes. According to data, only 23% of businesses overall possess a cybersecurity strategy, accounting for micro-sized to large-sized organizations and charities out of a sample size of 1,243.
This is troubling data, as without a cybersecurity strategy organizations are making dealing with threats more difficult for themselves – a lack of formal organization heightens the possibility of a cyber-attack succeeding. However, this reality becomes worse when conflated with other findings from the survey, as shown in the below table.
The pattern that presents itself is that the quality of cybersecurity depends on the size of an organization – micro firms, identified by small employee numbers or low annual turnovers, have all-around the weakest cybersecurity, as without outsourced insurance coverage less than 20% of these firms have any cybersecurity. On the other hand, medium firms seemingly have the strongest preventative measures against cyber attacks, 35% of them possessing a formal strategy as well as staff training and an insurance policy – but the fact remains that less than a quarter of businesses overall have reliable countermeasures in place.
The scale of threat cyber attacks pose towards organizations is rooted in its rising numbers – outlined clearly by the Office for National Statistics. They’ve reported that, during the pandemic in 2020, a spike in online fraud occurred as a result of everybody being online; casual internet users and organizations alike. The amount of cases reported to the police approximately peaks at 234,069, but by 2022 this number has increased to 936,276 – a 25% growth.
Over £960 million was lost to online fraud in 2022, and the largest perpetrator of this is phishing fraud.
What is Phishing Fraud?
The National Cyber Security Centre identifies phishing fraud specifically as ‘when attackers attempt to trick users into doing ‘the wrong thing’, such as clicking a bad link that will download malware, or direct them to a dodgy website’. This can be communicated on any platform, including texts and social media, but most frequently in emails. Successful phishing can lead to money and property theft, as well as malware being installed – and the reason they’re so dangerous is not only their sheer numbers but how they can target any organization, regardless of size.
The survey reveals that, out of the 573 participants (the ones who successfully identified breaches from 2021 to 2022), 83% of them identified phishing attacks, making it the most common online fraud faced across all organization sizes. It’s also considered the most disruptive amongst the 333 respondents who were affected by these attacks, followed by breaches such as hacking or malware – two types that have decreased from 2021 in terms of disruption.
Despite this, less than 20% of businesses have employed staff training to educate their teams regarding phishing specifically.
“We are in the midst of an epidemic of scams,” founder of MoneySavingExpert, Martin Lewis, explains, “...I’ve long called for regulation and law changes to make these big tech firms step up to the plate and deny these scammers the oxygen of publicity.”
Fortunately, there has been official action taken in light of recent online fraud developments in the form of the Online Fraud Charter.
What can be done to prevent phishing?
This pledge will aim to remove a plethora of fraudulent activity from a range of different tech websites, from social media such as Facebook and X (Twitter), to shopping platforms like Amazon and eBay. These companies will aid the UK government in eliminating online fraud threats primarily through content and user verification filtering.
Rishi Sunak announced the Online Fraud Charter on the 30th of November this year, claiming, “We have already taken action… launching our Fraud Strategy and deploying a National Fraud Squad made up of 400 dedicated officers, all backed by £400 million.” He further emphasizes that whole fraud cases are beginning to decrease, and their work continues.
The strategy is receiving all-around praise and anticipating its future developments – however, the issue is that it isn’t effective for organizations. The Online Fraud Charter will be able to make the internet safer over time, not only is it too soon to estimate its success but it doesn’t consider the internal approach firms take to cybersecurity.
As the survey reveals, 36% of businesses who only identified cyber attacks didn’t take any action to improve their cybersecurity, but for businesses who suffered a material loss after a cyber attack, this number descends to 17%. Organizations take cybersecurity less seriously before a successful breach, possibly because they’re overreliant on insurance policies that cover cyber-security.
It’s evident that all the firm types in the data, even micro firms, have some form of cybersecurity coverage in their insurance policies. In smaller-sized organizations, this is to make up for a lack of security in other areas, such as a reliable cybersecurity strategy or staff training, but for large firms, only 28% of them have dedicated cybersecurity insurance plans, likely because they don’t have to make up for weaker areas.
Having an insurance policy that aims to protect organizations is a key strategy for decreasing the threat of cyber attacks – but this averted liability is only in place as another layer of protection, rather than a solution to the problem.
As a result of the many cyber attacks during Russia’s invasion of Ukraine in the first quarter of 2022, the price of cybersecurity insurance increased drastically by 102%, making it even less of an efficient option for small-scale firms that already infrequently invest in dedicated cyber insurance.
Cybersecurity insurance isn’t useless in combating phishing fraud, but as evident with larger firms who are less dependent on it, insurance has to be used in tandem with other methods to maximize the strength of cybersecurity. Employing formal cybersecurity strategies and more staff training is a crucial step organisations in the UK have to take to protect themselves from ever-evolving threats like online phishing fraud, as increasing awareness, as well as having systems in place to counteract attacks, is what most organizations seem to lack.