Phishing attacks are on the rise: Key actions to take

Organisations are often inundated by security companies telling them phishing attacks are on the rise and the risk this presents to business continuity.

Organisations are often inundated by security companies telling them phishing attacks are on the rise and the risk this presents to business continuity.  It is an alert that speaks to the ever-challenging world of employee security culture and awareness. The 2022 World Economic Forum’s Global Risk Report, identifies that 95% of cybersecurity breaches are caused by employee error. So, what are the options?  Do you absorb the findings?  Just add them to your long list of actions and accept that they may get lost along the way?  Or do we start to tackle them and build resilience? The solution is easier than you think.

Why phishing is more of a risk now

Phishing itself originated from ‘snail mail’ paper-based letters that would promise the world, only to deliver disappointment. With the advent of digital channels such as email, would be scammers could now reach more potential victims. 

It makes complete sense that phishing attacks are keeping up with the way we work and the tools we are using to do our jobs in 2022. People working from home buck a trend of concentric defences, the structure of which goes back to the security principles of castles and moats. Post COVID, this often involves working in silos, instructed by phone calls, SMS and the occasional email from a manager to check progress. The lambs are out of the pen and roaming around kitchens and coffee shops, away from the sanctity and security of the office. 

Subsequently, in 2021 83% of organisations reported experiencing phishing attacks and it’s no surprise that this number is on the up. But what do we do about this terrible situation?

Top Tips and Rules to live by:

Hardware Keys

Keys like Yubikeys or other U2F devices can limit how successful a phishing attack can be. When Google rolled out this defence they proudly stated that not a single employee was successfully phished. This is because the key only works with the legitimate website you intended it to work for. This little piece of security tech can remove so much of the risk away from feeble humans and towards solid things that we can trust, like maths.

Employee Education

Hardware keys are great, but what about at home? What about systems that don’t support this new defence? What if the social engineering risk isn’t even phishing? We need to educate users and give them the skills needed to not only do their job safely but to secure the things they care about at home too. People should have cybersecurity risks highlighted in a clear and simple fashion. Remember that for us techies, IT security is a career and often a passion. For everyone else it is a dry topic. You aren’t going to empower anyone by forcing them to watch an hour-long video on why phishing is so bad – so don’t! Mix up education with security days, posters, well designed eLearning and engaging materials. Don’t go in too complex either, ensure everyone understands the basics and go from there.

Something to ponder; we require education in so many other areas to do our jobs, why are the majority of businesses in the UK failing to educate employees on things like email risks or cyber security?


You may not think IT security has a major part to play in your companies’ culture. If we skim across the FTSE 100 you’ll often hear terms such as ‘dependable, adventurous, avant garde explaining what a business wants to stand for, I’ve never heard of a business with a tagline of ‘we do cyber security really well’. 

Cyber Security culture however is make or break for businesses in the digital world. A culture of openness and transparency can minimise risks whereas a culture of blame and negativity leads to concealed mistakes – mistakes that often come back to haunt you. 

So be bold, loosen off the tie and connect with employees. Support them to make informed choices, let them know where help is, ensure they know mistakes can happen, stop obsessing on their phishing simulation click rate and connect with them. If you don’t want to delegate this to a consultant, make a proper effort yourself and bonus points to lead with positive contributions from the board.

Richard De Vere
Richard De Vere

Share via
Copy link