Two thirds of employees gamble with security

the editorial team

5 March 2024

Over two-thirds of Dutch employees knowingly put their organization at risk, leading to ransomware or malware infections, data breaches, or financial loss. More than four in five organizations surveyed experienced at least one successful attack in 2023. Reports of financial penalties, including fines, increased by 460 percent. This is indicated by Proofpoint’s annual research, published in its State of the Phish report.

Employees are not taking risky actions because security awareness is lacking. Of the working respondents surveyed, nearly three-quarters take risky actions such as reusing or sharing passwords, clicking on links from unknown senders, or handing over data to untrustworthy sources. Of them, 95 percent are aware of the risks. This means that 69 percent of Dutch employees voluntarily undermine their organization’s security. People say they do this because of convenience (47%), time savings (32%) and a sense of urgency (15%).

IT teams and employees differ on how to encourage behavior change. While 84 percent of security professionals surveyed say they are responsible for security, 66 percent are unsure or do not claim to be responsible. Virtually all employees are aware of inherent risks (95 percent).

There are clear differences between what security professionals and employees think works in encouraging behavioral change. Security professionals think more training (87%) and tighter controls (74%) are the answer, but nearly all respondents (96%) prioritize security over simpler and more user-friendly controls.

MFA still gives a false sense of security, resulting in corporate exposure. More than one million attacks occur every month using an MFA bypass framework named Evil Proxy. Worryingly, 82 percent of security professionals believe MFA provides complete protection against account takeover.

Business email compromise (BEC) now makes use of AI as well. Three-quarters of Dutch companies were victims of BEC attacks in 2023 (down from 92 percent in 2022). Globally, fewer organizations reported email fraud attempts. Attack volume did grow in countries such as Japan (35% annual increase), South Korea (+31%), and the United Arab Emirates (+29%). Cultural or language barriers may be reasons why fewer BEC attacks occurred here previously. However generative AI allows attackers to create more persuasive and personalized emails in different languages. Each month, Proofpoint detects an average of 66 million targeted BEC attacks.

Cyber extortion, meanwhile, remains a lucrative form of attack. Nearly three-quarters of Dutch companies surveyed were victims of a successful ransomware infection in 2023, down from 76 percent in 2022. More than half of Dutch IT professionals report that their organization was the victim of several ransomware attacks. Of the affected organizations, 56 percent paid a ransom (down from 76 percent in 2023). Of these, a quarter regained access to their data after payment (down from 52% in 2023).

Telephone-oriented attack delivery (TOAD) continues to increase. While TOAD messages may not initially appear malicious, they activate the attack chain as soon as an unsuspecting employee calls a fraudulent call center and provides his or her information. Proofpoint detects an average of 10 million TOAD attacks per month. In August, this peaked at 13 million incidents.

Despite the increase in awareness and sophistication of threats such as ransomware, TOAD, and MFA bypass, several organizations remain insufficiently prepared for them. But 32 percent of Dutch companies train users in the prevention of TOAD attacks and 18 percent educate users on the security of generative AI.