How phishing has catastrophic effects on organizations
Phishing attacks are a certified menace. And it doesn’t matter what size or shape your organization is. Or where it is. Or whether you have dress-down Fridays.
What’s more, phishing attacks are on the rise.
Safe to say cybercriminals have been really putting in the hours in the past few years. But it’s worth their while, because they’re getting valuable data.
And as surely as it lines criminals’ pockets, it hits organizations’ bottom line, hard. But that’s just one of the downers.
Criminals are getting more sophisticated and creative. Every. Darn. Day.
Don’t get us wrong, the good old traditional phishing email still convinces plenty of perfectly sensible people into clicking the link.
But they like to mix it up and use more sophisticated methods like spear phishing and whaling. And they think nothing of using social media’s social engineering potential as well. Variety is the spice of life, after all.
It’s simple enough. Phishing attack = data breaches = a world of hurt for your organization.
Some organizations only find out just how catastrophic attacks are when they get hit. And every single one wishes they’d thought more about it before.
So, what better time to explore the impact of phishing attacks on organizations? It’s the perfect time for you to check you’re doing all you can to fortify your defense strategy. And, it’s never been a better time to up your game with our new approach to phishing sims. More on that later.
Exactly how are organizations impacted by phishing attacks?
Phishing attacks rain down a whole host of nasty outcomes on organizations. Let’s take a look at some of the most devastating downsides.
Direct financial losses
Phishing attacks lead to serious financial losses. That’s because hackers love using sneaky tactics like stealing credentials or sending fake invoices to trick people.
The FBI’s Internet Crime Complaint Center (IC3) says that in 2019, these types of attacks resulted in an eye-watering $1.7 billion in losses for organizations.
That’s a lot of dough. And it’s money that the organization had plans for. To grow and improve their services, maybe. Or invest in new equipment. Or to buy some really nice beanbags for the chillout corner.
Damage to reputation
You’ve seen the news: Phishing attacks can inflict long-term damage to an organization’s reputation. In part this is because, once they’ve compromised your systems, attackers can send out spam or other malicious emails posing as your organization.
Customer and partner trust? Kaput.
And in a world where news travels at lightning speed, the fallout from a phishing attack can spread far and wide.
And it doesn’t matter if you’ve got the best PR agent in the world. When you announce a data breach, your reputation immediately takes a hit. And a loss of business always follows. Always.
Headlines detailing the extent of the breach, the number of individuals affected, and the negligence of the organization can spread like wildfire, tarnishing their image for years to come. The impact of such incidents on public opinion can be difficult, if not impossible, to repair.
Much like the ex who insisted on serenading you on the ukulele, data breach reports can take years to fade from memory. And as long as they linger, they’ll haunt and hinder public opinion of your brand.
Loss of customers
What people are saying and thinking about you is one thing. But the phishing fallout can have customers running for the hills.
A 2019 survey found that a whopping 44% of UK consumers stop spending with a brand for several months after a data breach, while 41% say they’d never come back at all. Yikes.
Just look at TalkTalk, they had 157,000 customers’ data compromised back in 2015. Customers left them in droves. All told, the breach ended up costing £60m in 2016 alone.
And get this: in 2019, it was revealed that they hadn’t even told 4,545 customers they were affected by the breach. Not surprising that the fallout from that one is still being felt today!
Disruption of operations
Phishing attacks aren’t just a nuisance, they can seriously disrupt an organization’s operations.
Once an attacker’s found their way into your network, they can install malware or ransomware, which could cause system outages and other nasty disruptions.
We all know that means lost productivity, and all the joys it brings with it.
Now, how about this: The 2020 Cyber Security Breaches Survey identified phishing attacks as the most disruptive form of cyberattack for UK organizations.
That’s right. For two thirds of them, the single most disruptive attack in the last 12 months was a phishing attack.
Not surprising given how a successful phishing attack can paralyze your organization. Your people won’t be able to continue their work. Plus your data and assets could be stolen or damaged. And your customers can’t use your online services.
Sure, most organizations are able to restore operations within 24 hours. But in cases with a material outcome—like a loss of money or data—41% of organizations take a day or more to recover.
Loss of organization value
As if hitting your organization’s people, bank balance, reputation and operations weren’t enough. Let us tell you, your investors are also going to feel the sting.
After Facebook’s 2018 breach, their valuation plummeted by $36bn. And British Airways? Well, after their data breach in the same year, their share price dropped by over 4%.
It’s crystal clear: a breach equals a decrease in an organization’s value.
Regulatory fines
These fines are no joke.
Under the UK GDPR, fines for the misuse or mishandling of data can reach £17.5 million or 4% of an organization’s annual global turnover, whichever is higher.
Here are some real-life examples:
British Airways got hit with a record fine of £20 million by the Information Commissioner’s Office for their 2018 data breach, where over 400,000 customers’ personal information got compromised.
They’re not alone. Marriott Hotels was fined £18.4 million in 2020 for their 2014 data breach.
And in the USA, fines can be just as hefty as in the UK.
In 2019, Equifax was ordered to pay up to $700 million over their 2017 data breach, which exposed the personal information of nearly 150 million Americans. It was one of the biggest data breaches in history, and the Federal Trade Commission wasn’t messing around.
And Capital One was fined $80 million by the Office of the Comptroller of the Currency for their 2019 data breach, which affected over 100 million Americans.
So, make no mistake, regulators are cracking down hard on any organization that fails to keep their customer data secure.
What about the impact of phishing attacks on individuals?
Right, enough about the damage that phishing attacks can do to an organization.
An organization is only as secure as the people in it.
Now, let’s talk about the impact of phishing attacks on individuals who have been targeted. It can be really nasty:
Identity theft
When a cybercriminal successfully steals an individual’s personal information in a phishing attack, they can use that info to pretend to be them. This can cause all sorts of trouble, like hurting their credit score, and can even damage their reputation.
Mental wellbeing
Being a victim of a phishing attack can be incredibly upsetting for the person targeted. It’s a violation of trust and can make them feel helpless. This can lead to feelings of anxiety, stress, and other emotional disturbances.
Productivity loss
Dealing with the fallout of a phishing attack can also have a major impact on an individual’s work performance. They might have to spend a lot of time and effort dealing with the aftermath, which can lead to decreased productivity, absenteeism, and other negative impacts on their work.
So, there you have it. It’s clear that corporate phishing attacks can have serious negative effects on the individuals who are targeted.
And that makes it even more important to set up top-notch cybersecurity measures to guard against these types of threats.
1. Tech up space
If you haven’t got technical measures in place you’re missing a trick. There are so many tools out there to prevent phishing attacks from being successful, from email filters to firewalls and antivirus software.
2. Get the multi-factor
Adding an extra layer of security can go a long way in protecting against phishing attacks. By requiring users to provide multiple forms of identification, such as a password and a fingerprint scan, it makes it much harder for cybercriminals to gain unauthorized access.
3. Be a risk-assessment mastermind
Stay one step ahead of the bad guys by regularly [assessing your organization’s risks and vulnerabilities.
4. Stay in the know with the latest cyber trends
Keep your team updated about the latest cyber threats and trends. It’s all about keeping up with the latest cybersecurity news.
5. Get your people savvy
Far and away the most important one. If you do one thing only, help your people know what to look out for. And help make it easy for them to make the right security decisions. You need to keep everyone in the loop about the risks and how to identify phishing attempts.
The thing about people is, for a long time, they’ve been maligned as the weak link in the security chain. And not only is it total rubbish … but it’ll harm your security game. And no one’s got time for that.
You’re probably mentally writing a to-do list by this point. But you don’t have to do this alone.
Take for instance phishing simulations.
Just like petting a porcupine, there’s a right way and a wrong way of going about it.
How do you avoid the pitfalls?