Are Larger Organizations More Susceptible to Spear Phishing Attacks?

Related Articles

• Latest Password Breach Reminds Us to Update Passwords
• Compliance Officers and Failing to Buy Insurance against Data Breaches
• Online Travel and Internet Retail Most Vulnerable to Email Attack

Subscription Options

Subscribe Newswire

Widgets & RSS Feeds

IT professionals attending Microsoft TechEd 2012 last month took a break to weigh-in and offer their opinions on a handful of security questions about their own corporate IT systems. According to those that participated in the informal survey, it appears that larger organizations are indeed more susceptible to spear phishing.

For those respondents from organizations with 1,000 or more email users, more than half (56 percent) believe their organizations were targeted by a spear phishing attack. Of this group, 27 percent did not believe they were the targets of a spear phishing attack and 17 percent reported they did not know.

In comparison, of those respondents from organizations with fewer than 1,000 email users, only 42 percent believe their organizations have ever been targeted, 39 percent did not think their company have had a spear phishing attack and 19 percent didn’t know.

Irrespective of organization size, half of all respondents believe that in the past year their organization has been a target of a phishing email designed specifically to compromise their own users. Another 31 percent did not believe they were the targets of such an attack and 18 percent reported they did not know.

“The findings from our June 2012 survey reinforce what many industry analysts and security experts have already noted—that targeted attacks against large organizations are extremely common and surprisingly effective in compromising user credentials and corporate IT systems,” comments David Knight, executive vice president of product management for Proofpoint, the company that administered the web-based survey from its TechEd booth.

Spear phishing is of special concern, because it has been found to be a cause behind security breaches. For the TechEd survey participants, of the 17 percent that reported experiencing a spear phishing attack in the past year, more than one-third (34 percent) of those believed the attack resulted in the compromise of user login credentials (e.g., usernames/passwords) or unauthorized access to corporate IT systems.

What did the survey respondents believe presented the greatest data loss risk for their organizations when given the choices of —outbound corporate email, social media, lost or stolen mobile devices, and online file sharing/collaboration and short messaging services? It appears to be evenly spread across a number of vectors, so for this group of participants, there is no single consensus. In the respondent’s opinions:

• 22 percent felt outbound email sent from their organizations is the greatest source of data loss risk.
• 19 percent felt that online file sharing/collaboration solutions (e.g., services such Dropbox, Box and others) are the greatest source.
• 18 percent felt lost or stolen mobile devices are the greatest source of data loss risk.
• 17 percent felt postings to social media sites (e.g., Facebook, LinkedIn) represent the greatest data loss risk.
• Only 3 percent felt that short messaging services (e.g., Twitter, SMS text messaging) is the greatest source of data loss.
• 21 percent of respondents marked “don’t know” to which of the five vectors pose the most data loss risks.

More than half of the 330 survey participants were from organizations with 1,000 or more email users. Approximately 99 percent of the respondents held security, risk management/compliance, CIO/CTO/CSO/CISO or other IT job roles, while 1 percent held academic roles.

What surveys like this one truly reveal is there is no single vector to protect and be done with it. Threats are being designed for a variety of channels, from email and mobile to social media and SMS. IT today has to become well versed in securing all channels within an organization and remain vigilant.