Advanced Software (return to the homepage)

Security education is vital as phishing threats grow

25/02/2016 minute read Amanda Grant

Malware and phishing overtake humans as biggest security threat to businesses, with awareness raising seen as vital

IT decision makers in the UK view malware as the main security threat to their organisation, but there is growing concern about phishing and spear phishing. These are two of the findings from a report, ‘Data Security and Risk Management Review’.

The report includes a survey which highlights the top ten main threats facing organisations. While human actions (malicious or accidental) remain a major vulnerability, malicious software (malware) ranked above them as the number one threat facing organisations. Meanwhile, phishing and spear-phishing appear to be the fastest growing risks, with 65% of the 300 respondents identifying this as a threat they think is increasing in severity or frequency.

In addition, spamming appeared in fourth place, above denials of service (DDoS) and social engineering, the tactic of manipulating people to give up confidential information such as passwords and bank details. There is also an increasing sophistication in these types of attacks, with phishing emails which appear to come from a trusted source becoming more difficult to identify.

As a result of these escalating threats, raising awareness and knowledge of security issues among employees is increasingly important. The review considers the so-called “security knowledge gap” between security professionals and other staff and also the information disparity between them and the criminals they are trying to stop. With threats evolving at such a fast pace, there are concerns that many businesses are playing catch-up with hackers.

When asked what the most important tool is for increasing knowledge and awareness of threats, exactly half of respondents suggested awareness-raising programmes. This was followed by formal training (39%), threat intelligence (36%) and industry/peer information (35%), so it is clear that IT decision makers recognise the need for greater security training and education. Respondents also agreed that training should be carried out at regular intervals.