As discussed in our previous phishing article, phishing is an attack method that uses email campaigns and bogus websites to fool individuals into disclosing personal information, downloading malware/ransomware, or both. Organizations are being targeted daily by phishing attacks.
What’s more, phishing tactics are increasing in quantity and sophistication on a global scale. Each year, increasingly more attacks affect all businesses from world’s largest corporations to small business ventures. Due to their size, popularity and overall value, the largest of corporate targets receive thousands of phishing attacks a month. Companies of all sizes and industries must act now in their own defense.
The trouble is, many companies rely too heavily on basic spam filtering software to prevent these attacks, however, the majority of spam filters will eventually fail. The reason for this is that a well-designed phishing campaign will not trigger volume-based spam filters until after your staff have already been exposed. Ideally, you need purposefully designed software to stop phishing emails to prevent them from reaching your staff. Even then, eventually, there is still always a chance that a malicious email will make it through, and when it does, the resulting impacts can be catastrophic. Below, we have outlined some of the basic impacts of a successful phishing campaign.
First and foremost, if your organization finds itself the unfortunate victim of phishing, it will most certainly face direct monetary costs. Apart from the direct costs of a breach, phishing attacks on your personnel may also result in fines imposed by regulatory bodies in the case of breaches that cause violations of GDPR, PIPEDA and PCI, to name a few.
The costs of providing identity protection and/or reimbursement to employees or customers who have their data stolen, as well as theft from your company itself, can easily run into the millions. For example, should regulatory bodies choose to issue maximum penalties following a breach, as in the case of the data protection act following the misuse of data at Facebook, fines could be astronomical. See our article Cost of a Data breach for more details.
Intellectual Property Loss
Beyond monetary losses, theft of intellectual property as a result of a successful phishing campaign can easily be the most destructive loss of all. Trade secrets, research, customer lists, formulas, new development can all be compromised by a phishing attack. For organisations in the fields of technology, defense, and pharmaceuticals a single project, drug patent could easily represent hundreds of millions in research expenditures.
At a basic level, brands and reputations are built on trust. Equally, the public disclosure of a humiliating internal communications breach can create reputational damage that taints the brand indefinitely. The media exposure alone around a serious breach sways the perception of the overall brand as untrustworthy for employees, partners, and customers.
Brand is the groundwork of practically every company’s market capitalization. In a previous Packetlabs blog, we discussed Coca Cola’s branding alone being worth 60% of the product itself, 60%! In other words, the brand damage alone resulting from a phishing attack on your staff has the potential to cut hundreds of millions off your market capitalization. See our Blog “What’s in a brand” for more details of the impacts.
Unfortunately, the damage does not end there. A successful phishing attack, leading to a breach, will not only impact customer confidence but investor confidence as well. Investors have a moral responsibility to ensure cybersecurity initiatives are given first priority during all stages of business development. During the last five years, cyberattacks have nearly doubled, driving down consumer confidence and incentivizing a significant demand for cybersecurity to protect consumer data and privacy.
Following the compromise of Facebook user data in 2018, Facebook’s total value dropped by 36 billion dollars, a loss from which the company is still in recovery. For publicly owned organizations, the trend is clear, after a breach, company value declines.
In the current day, we are living through perhaps the most significant example of business disruption of our lifetimes. The impact of COVID-19 has caused sweeping damage, affecting business operations across company sizes and industries. Attackers have seen this as a golden opportunity. Hackers will always exploit a crisis, and the COVID-19 pandemic is no exception. Since the start of the outbreak, most phishing campaigns have involved hackers impersonating health organizations and distributing phoney coronavirus-related news. As a result of the wide-spread panic, and remote workforce, many organizations have found themselves the unfortunate victims.
Beyond the brand impacts; business interruption of critical infrastructure, such as energy, transportation, water, health, waste, and technology, i.e. the backbone of our economy, can result in sweeping economic losses, and social disruption.
As discussed in the previous Packetlabs blog, How do you prevent Phishing Attacks, we have outlined step by step guidelines to help reduce the chances of your organization becoming an attacker’s next phishing victim. To learn more about how Packetlabs can help your organization take the appropriate steps to mitigate phishing risks, contact us for more detail.
10 January - Blog
Your Guide to Objective-Based Penetration Testing
14 December - Blog
2022 in Review and Our Predictions for 2023: Cyber-Threat Landscape
05 December - Blog
Choosing a Penetration Testing Company: Methodology & Certifications