More

    Spear Phishing, Targeted Attacks and Data Breach Trends

    During the RSA Conference 2013 and Infosecurity Europe 2013 conferences, Proofpoint surveyed a total of 620 professionals with C-level, IT, security and risk/compliance titles (505 of these at the RSA Conference, 115 at Infosecurity Europe) that visited Proofpoint’s conference booth. Using a Web-based survey, respondents were asked about a variety of concerns around spear phishing, advanced targeted attacks and data breaches. Both surveys asked the same questions. This slideshow features the key findings.

    Spear Phishing, Targeted Attacks and Data Breach Trends - slide 1

    Click through for results from a security and threats survey conducted by Proofpoint.

    Spear Phishing, Targeted Attacks and Data Breach Trends - slide 2

    The majority of respondents (58 percent) believe that, in the past year, their organization was targeted by a phishing email designed specifically to compromise their own users (also known as a “spear phishing” attack).

    There was some difference between the two surveys: For example, in the RSA survey, 62 percent of respondents said that they believe their organization was targeted by such an attack. In the Infosecurity survey, 42 percent of respondents said that they believe their organization was targeted by such an attack. It’s unclear if this indicates a real difference in the prevalence of spear phishing between the U.S. versus Europe, a difference in the level of concern and/or awareness of spear phishing between the two regions, or if the discrepancy is an artifact of the difference in sample sizes between the two surveys.

    Overall, 20 percent of respondents said that their organization was not the target of a spear phishing attack (18 percent RSA, 32 percent Infosecurity). Another 21 percent of respondents (20 percent RSA, 26 percent Infosecurity) reported that they did not know.

    Spear Phishing, Targeted Attacks and Data Breach Trends - slide 3

    Among organizations with 1,000 or more email users (379 total, 318 in the RSA survey, 61 in the Infosecurity survey), 65 percent of respondents (67 percent RSA, 52 percent Infosecurity) said that their organization had been the target of a spear phishing attack in the past year.

    Of this group, only 12 percent (11 percent RSA, 18 percent Infosecurity) do not believe they were the target of a spear phishing attack and the remaining 23 percent (22 percent RSA, 30 percent Infosecurity) reported that they did not know.

    Comparatively, organizations with fewer than 1,000 email users (241 survey respondents, 187 in the RSA survey, 54 in the Infosecurity survey) reported fewer spear phishing attacks — 48 percent (53 percent RSA, 30 percent Infosecurity) believe they had been targeted, 33 percent (29 percent RSA, 48 percent Infosecu­rity) did not and 19 percent (18 percent RSA, 22 percent Infosecurity) did not know.

    Spear Phishing, Targeted Attacks and Data Breach Trends - slide 4

    Beyond spear phishing, a majority of respondents (56 percent – 58 percent RSA, 45 percent Infosecurity) believe that, in the past year, their organization was the target of some other form of targeted attack and/or advanced persistent threat. 21 percent of respondents (19 percent RSA, 30 percent Infosecurity) do not believe they were targeted in this way. The remaining 23 percent of respondents (23 percent RSA, 24 percent Infosecurity) did not know.

    Spear Phishing, Targeted Attacks and Data Breach Trends - slide 5

    As with spear phishing attacks, large organizations were more likely to be targeted. Among respondents from organizations with 1,000 or more email users, 63 percent (64 percent RSA, 57 percent Infosecurity) said that their organization had been the target of some other form of targeted attack and/or APT.

    Among smaller organizations (those with less than 1,000 email users), 45 percent reported being the target of some other form of targeted attack and/or APT.

    Spear Phishing, Targeted Attacks and Data Breach Trends - slide 6

    Respondents were also asked, “In the past year, was your organization the victim of a data breach? (i.e., was confidential or proprietary information about – or belonging to – your orga­nization improperly exposed?).” Overall, 19 percent (18 percent RSA, 23 percent Infosecurity) of respondents said that their organization had experienced a data breach in the past year.

    This finding was fairly consistent regardless of company size: 21 percent (20 percent RSA, 21 percent Infos­ecurity) of respondents from large organizations (more than 1,000 email users) said their organization experienced a breach, as did 17 percent (15 percent RSA, 24 percent Infosecurity) of respondents from smaller organizations.

    Overall, roughly half of respondents (51 percent – 52 percent RSA, 44 percent Infosecurity) said that their or­ganization did not experience a data breach in the past year. A significant number of respon­dents to the survey were unsure whether their organization had suffered a breach or not — the remaining 30 percent (30 percent RSA, 33 percent Infosecurity) reported that they did not know.

    Latest Articles