Phishing attacks hit fewer firms but majority of workers negligent of cybersecurity risks

The majority of employees willingly undermine the cybersecurity of their organisations.

Fewer Singapore organisations were affected by successful phishing attacks in 2023 compared to the year prior, although risky behaviour that could put companies at risk has become increasingly rampant among employees, according to a survey by cybersecurity firm Proofpoint.

In its 2024 State of the Phish report, Proofpoint found that 68% of surveyed organisations in the city-state experienced at least one incidence of successful phishing attacks last year, down from 72% in 2022. 

66% of the respondents were also affected by at least one instance of successful ransomware infection in the past year, also down by three percentage points from the year prior.

Despite the decline, the survey showed 70% of working adults admitted to taking risky actions that may compromise the cybersecurity of their organisations – and nearly everyone (99%) said they did so knowingly.

Convenience (64%) was their top reason for taking risky actions, including reusing or sharing passwords, clicking on links from unknown senders, or sharing credentials with an untrustworthy source. 41% said they did so to save time while 28% said it was due to a perceived sense of urgency.

The fewer successful phishing incidents were also not enough to mitigate the impact of cyber attacks. The survey showed there was a whopping 449% surge in reports of financial penalties including regulatory fines, and an 18% jump in reports of reputational damage, as a consequence of cyber attacks.

“Individuals play a central role in an organisation’s security posture, with 74% of breaches still centering on the human element. While fostering security culture is important, training alone is not a silver bullet. The challenge is now not just awareness, but behaviour change,” said Ryan Kalember, chief strategy officer at Proofpoint.