Malicious phishing attacks are far more effective than most businesses realise, claims expert

Neira Jones tells Computing that too many businesses are failing to give cyber security the priority it deserves

Despite the constant threats posed by hackers, organisations have failed to give cyber security the high priority it requires and are thus leaving themselves vulnerable to the increasingly sophisticated methods used by cyber criminals.

That's according to security expert Neira Jones, who told Computing that organisations "haven't fixed the basics" when it comes to protecting their data from cyber criminals, with a major reason behind this a "lack of cyber security awareness programmes".

Jones explained that attack methods such as phishing are now much more effective than before because they're designed in such a way as to be unidentifiable as a malicious message.

"What has increased is the proportion of spam messages that include a hyperlink which, when you click it, is email-borne malware featuring malicious code. What has also increased is emails containing viruses and emails containing phishing attacks," she said, before describing how targeted campaigns are paying dividends for cyber criminals.

"Criminals are becoming a lot more effective at delivering their payloads. A phishing campaign of only 10 emails has more than 90 per cent chance of getting a click and when you get users who are unaware, that's an explosion waiting to happen."

Jones blamed the failure of enterprises to give cyber security the attention it deserves for the high success rate of phishing emails.

"I think it's because cyber security isn't really given a high priority. If you're not in the business of cyber security, like a security company, then it's not your core competence," she said, echoing findings revealed by EY last month which said organisations are unprepared for the inevitable cyber attacks they face.

The problem, Jones explained, is that businesses might even be aware that they have a problem, but aren't willing to spend the resources or the willpower to ensure that cyber security is everyone's responsibility.

"If you're a large organisation you'll have resources and you'll have departments and there may be cyber security, but at the end of the day, you're not in the business of security

"So awareness programmes are a low priority and security isn't understood; staff at large have a day job to do and they don't feel that's part of their responsibility," she said, before going on to suggest "organisations have essentially failed on cyber security".

"They don't make it part of the culture," Jones argued. "But the culture isn't just protecting the enterprise, it's about protecting customer data as well. Because a data breach means loss of credentials, loss of card information.

"Theft represented 60 per cent of all fraud in 2013," she continued.

"People are aware that it could affect them, but somehow, training and awareness programmes that I've seen don't actually make it real for the individual," Jones concluded.