There is a lot of negativity and bad news in the cybersecurity world. In fact, there is rarely an article about the topic that doesn’t have a “but” attached. And this is no exception. The good news is that a report by Mimecast found that many companies (40%) are indeed ready for the new GDPR regulations rolled out last month. Forty-eight percent are somewhat confident. This is noteworthy indeed. And now the but…

The report, Email Security Risk Assessment, also found that companies are largely still not great at detecting phishing attacks. More than 90% of the organizations it surveyed were hit with phishing attacks and about 20% of those suffered financial harm because of it. In addition, of the 95+ million emails that were examined as part of the survey, 15% were considered to be “bad” or “likely bad.”

While 15% may not seem like a lot compared to other statistics, it truly is important. That’s because it just takes one person to open an infected email message to open Pandora’s box, when it comes to phishing. And although more organizations are indeed doing periodic training regarding phishing, it’s usually on a quarterly or yearly basis, which frankly isn’t nearly often enough.

Phishing attacks evolve all the time. What may have been caught by spam filters last week, may not be caught next week. All it takes is a miniscule change by the malware author to make it undetectable at any given time. All that needs to happen after that is that email landing in an employee’s in box and getting clicked. Damage is indeed done.

Just when you think awareness training isn’t important, keep these figures in mind:

  • 95 million emails inspected
  • 14,277163 were spam
  • 9,992 contained dangerous file types
  • 849 were from unknown senders with malware attached

All of these made it to the recipients’ in boxes. Only one opened is necessary to put your organization in that group that felt a financial hit, lost customers, or felt a ding in reputation because of phishing.

Cybersecurity awareness does seem to be increasing. However, 94% of the firms surveyed said they had seen untargeted phishing attempts within the last year. 92% saw targeted ones, which can be even more difficult for users to detect.

So, since sandwiching bad news between good bits tends to lighten the blow, here’s the other piece of bread in the sandwich (or cookie if you wish)…more and more companies are in the process of getting DMARC rolled out (27%) and 29% are planning to get to it within the next year. Why is DMARC significant? Because it ensures that the messages being exchanged between communicators are properly authenticated against established standards. Further, it prevents some spoofing of the email sender, which is often how phishing emails catch people out.

In the meantime, remember to put a training program together for your employees, consultants, and anyone who uses your network connections. Because even someone on your guest network can set malware loose on your network if they click an infected link.