What if you knew that your users were aware of risks relating to cybersecurity but took risky actions anyway? Would you adjust your security awareness training program? How would you change your cybersecurity strategy? And how would you motivate your users to prioritise cybersecurity?
In our 10th annual State of the Phish report we gathered new data and expanded the scope to shine a spotlight on the insights gathered from eight countries across Europe and the Middle East. We hope that these unique insights can help you to answer some of these questions and more.
In this blog post, we’ll explore some of the insights around the state of phishing, ransomware, and user/employee behaviour across Europe and the Middle East while suggesting how you can balance your information security programs to reduce risk.
How did we compile the report?
The global 2024 State of the Phish report is compiled from data derived from Proofpoint People Protection products and research, as well as from additional sources that include:
- A commissioned global survey of 7,500 working adults and 1,050 IT professionals across 15 countries
- 183 million simulated phishing attacks sent by Proofpoint customers
- More than 24 million suspicious emails reported by our customers’ end users
What insights can be derived for Europe and the Middle East?
Countries within Europe and the Middle East have a diverse range of languages, cultures, inter-country relationships, geographical connections and information security maturity. Businesses in the region can operate at a multi-national level or have a smaller country-wide focus. Bound by the EU there exists a strong connectivity for businesses that operate within it. These organisations are typically united by common goals around preserving privacy and stopping the leakage of personal data.
The good news is that this year’s study revealed a decline in the percentage of organisations in Europe and the Middle East that were victims of at least one successful phishing attack. In 2022 the figure was 88%, and this year it was down to 75%. The bad news is that still 75% of organisations in Europe and the Middle East were subject to at least one successful phishing attack.
Naturally, you’re likely to ask how organisations like yours can help reduce the risk posed by phishing and similar attacks. Let's take a closer look.
Risk-taking users
Surveyed users in Europe and the Middle East admitted to taking risky actions such as sharing passwords, using work devices for personal activities and responding to messages from someone they do not know. This region had a higher percentage of users who took risky actions than the global average.
What does this mean for users in the countries where you operate? Our survey data tells us that in each of the four countries of UAE, Sweden, Italy and France, over 70% of users willingly undermined the security of their organisation. In fact, the country in which users took the most risks—more than any other country in our survey— was the UAE. Users across Europe and the Middle East justified their behaviour by citing time savings and convenience. UK users placed convenience above saving time.
Priorities differ for users and security teams
We may then question if users consider security to be their responsibility or that of their organisation's information security team. Worryingly, 66% of users in both the Netherlands and Sweden claimed they weren't sure or claimed they were not responsible.
Users value productivity and convenience above security and often assume their employer is responsible for keeping them safe and secure. Security professionals should keep this in mind as our research shows that 83% across Europe and the Middle East believe employees know they are responsible for security.
Multifactor authentication
Multifactor authentication (MFA) is often considered a way to mitigate password compromise and sharing. Indeed, over 9 in 10 security professionals in the UK and France still believe that MFA authentication provides complete protection against account takeover (ATO). However, Proofpoint identified more than one million attacks launched with the MFA-bypass framework EvilProxy per month. Approximately 3 in 10 security professionals in other countries across Europe and the Middle East do recognise that MFA is not a silver bullet.
Telephone-oriented attack delivery
Telephone-oriented attack delivery (TOAD) attacks have rightly gotten a lot of attention in recent years. These attacks are phishing attacks that use an initial lure to direct the user to make further contact via the telephone. Countries in this region experienced more TOAD attacks than the global average in 2023 (70% vs 67%).
Ransomware
Across Europe and the Middle East, levels of ransomware attacks and successful infections have risen in the past year. Organisations in Germany reported the highest level of successful infections with 85% admitting to being affected.
According to our 2024 survey results, just over half of organisations in this region paid a ransom in 2023 compared with last year's survey (56% vs 64% in 2022). The effectiveness of paying a ransom varied wildly. The desired outcome would be to restore affected systems and data. Yet not all organisations got their data back as expected.
Organisations in the Netherlands saw the least positive results from paying; 40% reported that they never got their data back (vs 16% globally). We also tracked a year-on-year change in the success in paying a ransom. Organisations in Spain, for example, saw a 50% success rate in regaining access to their data in 2022. However, that dropped to 21% in 2023.
Whether to send payment to cybercriminals is often a part of a cybersecurity response or resilience plan is typically viewed as a business decision. But our research shows that implications can run deeper for organisations in Europe and the Middle East. Paying often means that organisations are repeatedly targeted by cybercriminals.
Business email compromise
For years now, business email compromise (BEC) scams have been one of the costliest threats to organisations globally. They have far-ranging negative financial implications, which cybersecurity community knows all too well. Worryingly for Europe and the Middle East, given our broad range of languages in the region, we saw an increase in BEC non-English-speaking countries. This might be linked to the rise of generative AI tools such as ChatGPT which can be used to write convincing email lures.
Security awareness training and behaviour change
Across the region, 95% of organisations already use threat intelligence to inform their security awareness training programs. But it appears that more can be done to align training topics to real-world issues. As an example, let's look at the disparity between real-world threat risk and the incorporation of that knowledge into security awareness programs. 78% of German organisations experienced TOAD attacks, but only 21% used it as a security training topic—one of the largest gulfs between daily attacks and training topics. Further, we observed a decline in organisations training on essential topics such as password best practices and social engineering.
Fines and reputational damage
This year's deep dive for countries across Europe and the Middle East paints a grim picture of negative consequences which have soared in all eight countries in our survey. Reports of financial penalties, such as regulatory fines, and increases in reports of reputational damage abound. Organisations in Germany, France and UAE stood out as seeing an increase in negative consequences. Don’t rely on cyber insurance to cover all costs though—France's largest insurer announced that it would no longer cover ransomware attacks. Could this be a sign of things to come?
Find out more
Take a look at our full 2024 State of the Phish: Europe and the Middle East report for recommendations on how to adapt your cybersecurity programs.
Watch our webinar
Join us for a deeper discussion on our research and survey findings across Europe and the Middle East in our webinar on 7 March 2024 at 13:00 GMT / 14:00 CET / 17:00 GST.