The one in nine Kiwis who fell for a faux phishing attack conducted by KPMG this week have demonstrated just how important it is for New Zealand organisations to ensure they have the right controls in place to prevent, detect and rapidly respond to phishing attacks.
As part of Cyber Smart Week, the KPMG Cyber team undertook a phishing exercise to gain insights into how security aware New Zealanders are, and to see if things have improved since they ran a similar exercise in 2016.
Forty five organisations with a total of 7,574 staff agreed to participate in the exercise. The participants were sent an email indicating that malware had potentially been detected on their computers, asking them to log into a website to validate the files.
Of the 7,574 people phishing emails were sent to, 1,043 people (13.8%) clicked on the website link in the email, and 879 (11.6%) entered their password into the website.
Philip Whitmore, KPMG Partner and head of KPMG Cyber in New Zealand, said the exercise was a great way to educate employees and start a discussion in the workplace, but also a real warning sign for organisations.
“The results are unfortunately no better than 2016, when 12% of the people clicked on the website link, and 8% entered their password into the website,” said Philip. “All it takes is one person to fall for a phishing attack for the results to be potentially devastating, and for some participating organisations, the results were much higher than the average.”
The first person entered their password into the fake website less than a minute after the phishing emails were sent.
The percentage of staff within an organisation that provided their passwords ranged from 2% to 38%. The size of an organisation did not seem to affect the results, with staff from both small and large organisations falling for the phishing emails.
“With many organisations still relying upon just username and password for remote access, or for accessing cloud based services such as Office 365, had our phishing test been real, it would have meant it was game over for many of the organisations involved.”
The need for robust cyber security practices is a clear imperative to help protect businesses and individuals against a growing swell of cyber threats, with phishing attacks being the most common way for a cyber-criminal to get an initial foothold into an organisation.
“Targeted security awareness training about phishing is important, and the results show that many organisations need increased focus,” says Philip. “However that is only part of the answer, and from our experience, New Zealand businesses need to think much wider about what they do to protect themselves against phishing attacks. Simple controls such as multi-factor authentication, restricting macros in Microsoft Office, patching and limiting who has administrative access, can go a long way to minimise the impact when someone falls for a phishing attack.”
KPMG is seeing an increase in the number of New Zealand organisations getting breached as a result of phishing attacks, with some New Zealand organisations experiencing multi-million dollar losses in 2019 as a result.
“There appears to be no let-up in sight, with phishing attacks on the risk, particularly given that New Zealand is seen as a soft target by cyber-criminals due to our low level of cyber security maturity.”