Nearly half of British companies (43%) have been the victim of a cyberattack in the past three years, with over a third of them more than once (17%), according to new research*. Most British IT security managers agree that the geopolitical situation (79%), hybrid working (76%), and artificial intelligence (68%) have worsened the cyber threat situation.
SoSafe’s 2023 Human Risk Review provides an overview of the current cyber threat landscape and corporate security culture based on responses from over 1,000 IT security managers in Europe, multiple expert interviews and more than 8.4 million data points from the SoSafe awareness platform.
Dr Niklas Hellemann, CEO and founder of SoSafe, said: “Our society has experienced a multitude of crises and conflicts in the past year. The resulting ongoing uncertainty as well as fear and stress play into the hands of cybercriminals, who exploit this for new social engineering attacks. Cybercrime is now a highly professionalised business model that can invest extensive resources in research and development. Tactics and strategies are adapted every minute to use these new insights for profitable cyber attacks.”
Phishing remains a perennial threat – with new innovations in emotional manipulation
83% percent of the respondents said that they see phishing and the emotional manipulation of people as a security risk. Phishing is also the attack method that affected most of the companies surveyed, at 40%. SoSafe’s data shows that 1 in 3 people (31%) click on harmful links or attachments in phishing emails. Subject lines such as “Damaged car” and “Teams invitation” were the most likely to tempt people to open, click or even enter personal information on a further website. Employees seem to be particularly susceptible to social engineering tactics that trigger strong emotions, such as pressure (24%), authority (28%) or financial appeals (18%). According to data from the SoSafe platform, this type of emotional manipulation tends to result in higher click-through rates on phishing emails than previous years (2021: pressure, 24%; authority, 24%; financial appeals, 17%).
“Phishing remains the most used and also most successful attack strategy on the human factor. Every third person still clicks on harmful content in phishing emails. This is mainly because cybercriminals have numerous options for highly personalised phishing attacks that average users are not prepared for – they use personal information from social media, instrumentalise geopolitical events that usually trigger strong emotions or use artificial intelligence to imitate images, videos or voices. And this is the new norm – cybercriminals will constantly develop new, creative attack strategies,” said Hellemann.
Only 1/3 of British companies pay their ransom
Other successful attack methods were malware (35%) and ransomware (37%). A total of 38% of British companies have already paid a ransom to cybercriminals. In a European comparison, companies in the UK pay more often than in France (30%) but less than Germany (45%). More ransom payments are made by Dutch neighbours (46%). Supply chain attacks are also seen as a threat by IT security officers: 76% of respondents see supply chain attacks as a security risk. 18% of respondents’ organisations have already been the victim of a supply chain attack, and 83% percent agree that their own security depends on the security standards of their partners.
93% of companies see creating high level security awareness as a priority
Two thirds of companies surveyed say they have a high level of security awareness with the focus on strengthening security awareness already reflected in the companies’ investment plans: 51% of the companies that have already been attacked estimate that investments in security awareness measures will increase in the next one and a half years. Creating a security culture is a priority for 93% of companies.
Senior management’s focus on IT security has also increased for more than half of companies (51%). “It is a welcome development that companies are aware that they need to invest in addressing the human factor in IT security – and that this has also reached senior management. However, our actual behavioural data shows that we still have a long way to go – around 31% still click on phishing emails, and 52% even go on to disclose further sensitive data.
“We see a gap here that we need to fill: while employees understand the importance of cybersecurity better than before, they still need support to internalise secure behaviour in the long term. That is our mission: to strengthen digital self-defence in the long term – and to fight cybercrime together,” says Hellemann.
For more information, see the Human Risk Review 2023
The Human Risk Review includes data from a survey conducted in collaboration with Censuswide, an international market research institute. More than 1,000 security managers from six European countries (Germany, Great Britain, Austria, Switzerland, the Netherlands and France) were interviewed in February 2023. In addition, exclusive data from the SoSafe awareness platform was anonymously evaluated: more than 8.4 million simulated phishing attacks from 3,000 customer organisations from the year 2022 were analysed. In addition, data from the annual phish test conducted by SoSafe and Botfrei was used. In 2022, more than 9,000 simulated phishing emails were sent to registered users, which were classified as moderately severe in the simulation and had to be recognised by the user. Finally, the results were discussed with 9 experts, including Thomas Tschersich (CISO of Deutsche Telekom AG), Dr. Katrin Suder (Strategy Expert Digital Technologies, Economy & Politics), Tobias Ludwichowski (CISO Signal Iduna), Dr. Stefan Lüders (CSO CERN), Jens Becker (CIO Zurich Group Germany) and Thomas Schumacher (Managing Director Accenture Security DACH).
*Research from SoSafe