Phishing attacks are on the rise.
In 2020, 93% of UK organisations were targeted by Covid-19-related malware. 88% of security professionals reported an increase in phishing attacks.
Typically, criminals behind a phishing attack aren’t attempting to steal money. They’re attempting to steal something potentially much more valuable: data.
When phishing attacks trigger data breaches, the consequences for businesses can be severe.
Following the announcement of a data breach, a company’s reputation immediately takes a hit.
Headlines like “British Airways data breach: Russian hackers sell 245,000 credit card details” and “EasyJet admits data of nine million hacked” become mainstream news stories. It doesn’t matter how formidable a company’s PR department might be.
Such reports can take years to fade from memory. As long as they linger, they influence public opinion of a brand.
Loss of custom
Reputational damage is just the beginning of the backlash.
News of a data breach tends to make customers nervous. A 2019 survey revealed 44% of UK consumers will stop spending with a business for several months in the immediate aftermath of a data breach. 41% of consumers reported they would never return to a business that had experienced a breach.
After 157,000 TalkTalk customers had their data compromised in 2015, customers left in their thousands. The costs of the breach reached £60m in 2016 alone. In 2019, it was reported that the company failed to notify 4,545 customers affected by the breach at the time. The ramifications, it seems, will continue for years.
Loss of company value
Breaches don’t just affect consumer confidence. They impact investor confidence, too.
Recent analysis of companies listed on the New York Stock Exchange found share prices fell 7.27% on average after a data breach.
Following the compromise of Facebook user data in 2018, Facebook’s valuation dropped by $36bn. British Airways’ 2018 data breach led to a more than 4% drop in its share price. In public companies, the pattern is clear: following a breach, company value decreases.
Financial penalties for the misuse or mishandling of data have been in place for decades. Post-Brexit, under UK GDPR, the penalties can total £17.5 million or 4% of a company’s annual global turnover – whichever is higher.
In October 2020, British Airways was fined a record £20 million by the Information Commissioner’s Office (ICO). The fine related to BA’s 2018 data breach in which more than 400,000 customers’ personal details were compromised by criminals.
Marriott Hotels was fined £18.4 million in 2020 for its 2014 data breach.
The ICO continues to crackdown on businesses that fail to keep customer data secure.
No matter how small they might be, breaches inevitably lead to business disruption.
The 2020 Cyber Security Breaches Survey identified phishing attacks as the most disruptive form of cyberattack for UK businesses. For 67% of businesses, the single most disruptive attack in the last 12 months was a phishing attack.
Phishing attacks can paralyse a business. Staff might be unable to continue their work. Data and assets might be stolen or damaged. Customers might be unable to access online services.
Most businesses are able to restore operations within 24 hours. But in cases with a material outcome – including a loss of money or data – 41% of businesses take a day or more to recover.
Safeguarding against phishing
Phishing filters can help. But no phishing filter is 100% effective.
The good news is, phishing emails getting through isn’t all bad. In fact, the more people come into contact with these threats, the better they become at dealing with them. This is known as antifragility.
The people who receive phishing emails have more power than we tend to think. They can identify, report, and negate phishing threats.
And they don’t have to do it alone. CybSafe Assist offers support and guidance on demand. It provides answers to security questions when people need them most. And CybSafe Connect, a mobile app, allows people to access this help wherever they are.
For a long time, people have been seen as a security “weakness”. By treating people as a defence, businesses can equip staff with the tools and training they need to counter phishing threats.
More and more security teams are adopting this idea. In time, we believe the trend will continue.