| |
 | | http://www.securitymanager.net/magazine/news_h11781_nearly_half_of_it_decision_makers_surveyed_say.html |
Websense’s Phishing Trends Survey suggests phishing websites difficult to identify; many companies not well protected against phishing attacks
Websense, Inc., the world’s leading provider of employee internet management solutions, today announced the results of its Phishing Trends study, which is part of the company’s annual Web@Work survey conducted by Harris Interactive®. From February 21 to 28, 2005, 354 U.S. IT decision-makers who work for organizations with at least 100 employees were interviewed online and from February 28 to March 21, 2005, 500 U.S. employees who have internet access at work and who work for organizations with at least 100 employees were surveyed over the telephone on phishing and IT security in the workplace.
According to Websense’s 2005 Phishing Trends Survey, only one-third (33%) of employees polled said that they have heard of phishing. Similarly, 4% of employees surveyed admitted that they had “fallen for a phish” and clicked through a link to a phishing website at work. Conversely, 82% of IT decision-makers surveyed stated that their employees have received phishing attacks via email or instant messaging (IM). In addition, 45% of IT decision-makers surveyed who have had employees receive a phishing attack said that their employees did click through the URL on the phishing attack. This discrepancy might suggest that employees have a difficult time deciphering whether a website accessed via a link in an email or instant message is legitimate or “spoofed” – a fraudulent website that appears to be authentic. Not surprisingly, half (50%) of the IT decision-makers surveyed do not believe that employees can accurately identify phishing sites.
“Phishers are becoming more sophisticated in their deception techniques to lure employees to spoofed websites, as most employees cannot determine which is a valid site and which is a fake,” said Dan Hubbard, senior director of security and technology research, and head of Websense® Security Labs™, at Websense, Inc. “However, employees don’t have to ‘fall for the phish’ and actually enter confidential information on a phishing website to be compromised. By simply clicking on a phishing URL, the site can install spyware, such as a malicious keylogger, on the employee’s computer which has the ability to capture data such as network passwords or social security numbers without their knowledge.”
Phishing is a relatively new phenomenon, but it is already viewed as an important security problem for IT decision-makers—32% of IT decision makers polled report that phishing attacks have caused security problems for their organizations in the past year. In addition, the majority of IT decision-makers surveyed do not feel their company is well protected from internet security threats, such as phishing attacks. Forty-three percent feel their company is only somewhat protected, and 14% feel their company is not very, or not at all, protected.
“Although the Websense survey shows that only four percent of employees admit to clicking on phishing URLs, this is actually a high number in the security community,” says Brian Burke, research manager for security products at IDC. “It only takes one employee to click on a phishing site and accidentally give out confidential corporate data, customer records, network passwords, or trade secrets, to jeopardize an entire organizations’ intellectual property.”
To mitigate web-based threats such as phishing attacks, 60% of IT decision-makers surveyed reported they block executable programs (attachments) transmitted through email. However, only 14% said they block HTML within emails. Also, 47% of IT decision-makers surveyed said they block executables transmitted through IM, but only 24% indicated they block HTML within IM. “Most organizations already prevent attachments coming in through email; however, HTML within emails is frequently left unblocked—leaving employees vulnerable to attack from phishers hungry for confidential personal and company data,” said Hubbard.
Websense Security Labs mines more than 50 million websites per day, searching for sites infected with malicious code, such as spyware and phishing sites. In fact, more than 13,000 infected sites were discovered in the first quarter of 2005 alone. Websense Security Labs researches today’s advanced internet threats and delivers timely product and information updates to the security community and Websense customers to support them in making their infrastructure more secure. 2005 Phishing Trends Survey Results:
* PHISHING ATTACKS—one-third (33%) of employees surveyed said that they have heard of phishing, but only 4% said they had ever “fallen for a phish” and clicked through a link to a phishing website at work. However, half (50%) of IT decision-makers surveyed believe that employees cannot accurately identify phishing sites. This may be the case, as 82% of IT decision makers polled report their companies have had employees receive a phishing attack via email or IM, and 45% of these decision-makers polled said that employees did click through the URL.
* PROTECTION AGAINST PHISHING—the majority of IT decision-makers surveyed do not feel their company is well protected from internet security threats, such as phishing attacks. Forty-three percent feel their company is only somewhat protected, and 14% feel their company is not very, or not at all, protected.
* SECURITY CONCERNS—32% of IT decision-makers surveyed believe that phishing attacks have caused security problems for their organizations in the past year. Spyware (65%), followed by employee use of bandwidth-clogging applications, such as streaming media (42%), and employee use of unlicensed/unsanctioned software (39%), were also listed as security concerns.
* WHAT COMPANIES BLOCK—when asked if they block executables and/or HTML, 60% of IT decision-makers surveyed said they block executable programs transmitted through email, but only 14% said they block HTML within emails. Likewise, 47% said they block executables transmitted through IM, but only 24% indicated they block HTML within IM. 47% of IT decision-makers surveyed report that their companies block executables transmitted through the internet.
* PHISHING EDUCATION—the most popular sources of education for IT decision-makers to learn about new web-based threats, such as the latest phishing attack, are online media (44%) and security vendors (35%).
* INTERNET SECURITY TRAINING—58% of IT decision-makers surveyed have either an internet security awareness program, or an internet security training program, or both. Larger companies tend to do more in terms of internet security—of those IT decision makers surveyed, fully half (50%) of those who work for mid-sized companies (defined as companies with 100-500 employees) said they do not have any sort of security awareness or training program versus 36% of those who work for large companies (501-1,000 employees) and 29% of those who work for very large companies (1,001 or more employees).
18.05.2005, Websense Inc.
| |
| |
| |
© 1999-2009 | |
| |
