Two-thirds of businesses anticipate COVID-themed phishing surge in 2021

The research was conducted by independent polling agency Censuswide and the results obtained via a survey of 200 business decision-makers operating within large and medium-sized enterprises here in the UK.

The data reveals that more than half (52%) of business decision-makers are anticipating an increase in cyber attacks facing their organisations, such as those triggered by the national lockdown which ended on Wednesday 2 December.

To protect their organisations, IT security processionals should take proactive measures including the introduction of security awareness training for employees, restricting VPN connections, increasing the use of multi-factor authentication wherever available and applying least privilege access controls.

Despite these concerns, 37% cent of respondents admitted that they currently have no plans to train new employees on data management policies and cyber security risks specific to COVID-related disruption.

Verifying identities

Furthermore, 37% stated that they don’t have sufficient systems in place to verify employee identities and credentials when accessing company data.

Howard Greenfield, chief revenue officer at Centrify, commented: “COVID-themed e-mail, SMS and web-based phishing attacks have not been uncommon over the last year. So far, we’ve seen cyber attack campaigns using the guise of charity, Government financial aid initiatives and business support schemes already lure thousands of victims into leaking sensitive information, such as log-in credentials and payment details.”

Greenfield continued: “In fact, these phishing campaigns have been so sophisticated and widespread that business leaders can only reasonably assume that a colleague or employee has already fallen victim to one and especially so if they’ve been working remotely this year for the first time in their career.”

He added: “Therefore, it’s absolutely imperative for companies to adopt a zero trust approach enforced by least privilege access which will only grant access to certain applications and data once a given user’s identity has actually been verified. This policy will help to ensure that leaked log-in credentials don’t necessarily translate to a breach of data.”