Nine in ten companies have “non-existent” anti-phishing defences

Nine in ten companies have “non-existent” anti-phishing defences

Eighty eight percent of the UK’s largest companies have “weak or non-existent” anti-phishing defences — despite phishing being one of the most common cyberattacks — a three-month-long Rapid7 study has revealed.

The lack of strong anti-phishing defences places any FTSE 250 organisation at risk of data theft and other cyber-attacks, as any one of its thousands of employees could fall victim to a secretly malicious email.

Placing the finding into context, this is the weakest anti-phishing showing for all Rapid7 industry cyber-exposure reports to date.

Moreover, the study found that while all industry sectors within the FTSE 250 had at least one organisation with a malware infection, administrative and professional organisations showed monthly signs of “regular compromise”.

Incidents ranged from company resources being co-opted into denial-of-service (DoS) amplification attacks to signs of EternalBlue-based campaigns similar to WannaCry and NotPetya.

Further still, 19% of FTSE 250 organisations have not enforced SSL/TLS security on their primary websites, leaving visitors open to a wide array of common attacks by adversaries in a position to modify web content as it is being transmitted.

The findings from this report come from Rapid7’s Project Sonar, which scans the internet for exposed systems and devices across a wide array of services, like web servers, mail servers, file servers, database servers and network equipment.

Tod Beardsley, research director at Rapid7 said, “We believe this is the most comprehensive and accurate public report covering the real-world internet presence of a national economy to date.

“By measuring specific areas of cybersecurity, we are able to zero in on the most common problem areas in each of the surveyed industries and offer practical, specific defensive advice to each one.

“Because FTSE 250 organisations typically have substantial resources and access to excellent technical expertise, the findings suggest that the severity of exposure may be greater for the many thousands of organisations smaller than those in the FTSE 250.

“The digital ecosystem could benefit from an ongoing conversation with key stakeholders on the reasons for this continued exposure, along with steps to mitigate the cybersecurity risks it poses.”