Construction SMEs most at risk from phishing attacks

Relying chiefly on human naivety, phishing scams are becoming more sophisticated and difficult to detect by the day.

Regardless of how many security tools an organization has in place, they could all be rendered redundant at the single, absent-minded click of a link in an email. According to Verizon’s 2019 Data Breach Investigation Report, phishing was the number one threat action used in successful breaches linked to social engineering and malware. 

When it comes to the latter, there’s hardly a limit to the havoc that can be wreaked on an organization. Hydro— the Norwegian aluminum manufacturer that was recently victim to ransomware— stated it has spent more than US$57 million in a bid to restore itself to full capacity following the attack, as it made the bold decision not to negotiate with those behind it. 

But while every industry may share the human vulnerabilities at the root of most cyber attacks, a new report by KnowBe4 shows that some may be more at risk than others. 

Phishing-prone industry

Drawing on a vast data set of nine million users across 18,000 organizations— subject to 20 million simulated phishing security tests across 19 different industries— the research highlighted a “drastic predicament” for those that aren’t investing in security awareness training. 

With a measurement dubbed the Phish-prone percentage (PPP), the researchers were able to determine how many of an organization’s employees are likely to be duped into opening an infected file or transferring funds to a fraudulent account. Across all industries, the average risk was found to be 29.6 percent, up 2.6 percent from 2018. 

Construction & hospitality

For both small and medium-sized organizations, however, the construction sector ranked as being the most high-risk, toting a 37 percent proportion of ‘Phish-prone’ employees. Indeed, the UK government reported that construction firms had been affected by 77,000 cybersecurity incidents in 2015. 

Among SMEs, insurance companies also fared poorly— risks increased to more than a third of their workforce.

But for large organizations or those with more than 1,000 or more employees, hospitality companies displaced not-for-profits with an astounding 48.4 percent. That follows earlier research by Symantec that found two out of three hotel websites continue to inadvertently leak guests’ booking details, as well as the infamous Marriot data breach which left 500 million customers’ details exposed. 

On the clear trends between separate industries, KnowBe4 Security Awareness Advocate Javvad Malik said that companies in one sector often don’t believe they can be targeted by cybercriminals and that they have no valuable data. 

“Not only is this a misconception, but also, we see with many attacks such as ransomware, the objective isn’t to steal data, rather it’s to extort money from companies by making systems unavailable,” said Malik. 

Often seen to be an ‘offline’ industry— spanning anything from mining, quarrying, the supply of products, as well as maintenance and disposal— construction companies, for example, could hold masses of valuable and sensitive data on client properties and future projects. Meanwhile, as machinery becomes increasingly integrated with IT, the industry could be unprepared for a new wave of cyber-sabotage. 

“When we look at the overall types of attacks, many can be thwarted by better employee awareness and training so that they are less likely to fall victim to scams or phishing attacks which can impact the whole company.”

After 90 days of computer-based training and simulated phishing security tests, it was found that vulnerability rates were cut in half across industries from 30 percent to 15 percent. After 12 months, there was a “dramatic” drop from 30 percent to just 2 percent.