Microsoft Monthly Newsletter – September
30/09/2024Cloud: A 2024 Retrospective View
11/10/2024Phishing attacks have become one of the most pressing cybersecurity challenges for businesses worldwide. In 2024, phishing attacks were not only more frequent but also more sophisticated, forcing companies to seek advanced methods to protect their employees and systems. Phishing is a cyberattack that tricks people into sharing sensitive information through fraudulent emails, text messages, phone calls, or websites.
AI-driven cybersecurity tools have emerged as an indispensable asset in this fight, and as a cybersecurity expert, I’ve witnessed first-hand how these tools are transforming the landscape.
The scale of the phishing problem in 2024
The number of phishing attacks in 2024 is staggering, with 50% of businesses in the UK reporting they have experienced some form of cybersecurity breach or attack in the last 12 months (UK Government, 2024). According to the cybersecurity breaches survey 2024 carried out by the UK Government, 84% reported that phishing is the most common type of breach or attack they have faced. These attacks range from fake login prompts to impersonation of trusted brands, in which the damage caused often extends beyond financial loss, threatening a company’s reputation and customer trust.
Phishing attacks tend to spike during the holiday season, as employees become more vulnerable to scams offering free items or discounted deals. With the ongoing cost of living crisis, many are even more tempted by these offers, making it crucial for staff to recognize the risks of such scams. Research from Cyberint reveals that phishing alerts increased by 46% last December compared to the average rates seen during the rest of the year, highlighting the heightened threat during this period.
In 2023, phishing attacks grew by up to 17%, with nearly 7 million detections recorded (trendmicro). “Phishing attacks are on the rise because they are both highly effective and easily scalable,” explains Ben Large, a cybersecurity expert at Ultima. “The emergence of Phishing as a Service (PhaaS) has made it even easier for cybercriminals, including those with minimal technical skills, to launch sophisticated attacks by purchasing ready-made phishing kits and tools. This has significantly lowered the entry barrier, leading to a surge in phishing attempts.”
Large adds, “Increased digital dependence, particularly with the shift to remote work and online activities, has provided cybercriminals with more opportunities to exploit. As communication and transactions move increasingly online, the pool of potential victims grows, making phishing a lucrative and persistent threat.”
Research by Cybersecurity Ventures predicted cybercrime would cost the world £7.7 trillion in 2024 alone. The average phishing attack costs organisations an average of £3.61 million, according to IBM. It’s no wonder why companies are seeking out AI tools to help cope with these breaches.
Why companies are investing in AI for phishing prevention
Phishing is no longer a simple cybercrime tactic and is now a highly organised and persistent threat to companies of all sizes. Businesses are rapidly adopting AI-based tools to combat the risk for several reasons:
Cost-Effective
A single successful phishing attack can be financially crippling for a business. With average recovery costs running into millions, AI tools represent a cost-effective preventive measure. These tools are often scalable and can adapt as a company grows, ensuring comprehensive protection without significant cost increases. AI-driven cybersecurity platforms typically follow subscription-based models, with prices depending on the scale of the business and its requirements. According to Peerspot, enterprise buyers generally view Darktrace’s pricing as flexible but often on the higher side. The costs are primarily subscription-based, available either monthly or annually, and are typically negotiated directly or through a local vendor.
While larger organisations may benefit from vendor references or discounted rates, smaller businesses can find expenses ranging from £24,600 to over £82,000 annually to be challenging. It’s essential to recognise that not all businesses are one-size-fits-all with each company having unique network requirements that necessitate tailored solutions, which can result in varying quoted figures. Hiring a cybersecurity team can be challenging due to the shortage of talent in the UK. With a limited pool of highly skilled experts, businesses often need to offer more competitive packages to attract top candidates.
For small to mid-sized businesses, AI cybersecurity tools present a cost-efficient solution compared to a full cybersecurity team, making them more attractive in terms of budget and scalability. Larger enterprises often blend AI with a human team to provide comprehensive protection and incident management.
Lack of Talent in Cybersecurity
Skilled cybersecurity professionals are in short supply, with industry estimates showing a global shortage of over 3.5 million cybersecurity workers. AI allows companies to optimise their existing human resources by taking over the repetitive and time-consuming threat detection tasks, allowing cybersecurity teams to focus on higher-level strategy and response.
There is a serious shortage of cybersecurity professionals in the industry with the number of unfilled cybersecurity jobs worldwide grew by 350% from 1 million to 3.5 million between 2013 and 2021, according to Cybersecurity Ventures. The number of open roles has remained consistent, with 3.5 million jobs unfilled in 2023.
“The cybersecurity industry is grappling with a talent shortage because business growth has outpaced the availability of skilled professionals,” says Ben Large, Cybersecurity expert. “Security today is far more complex than it was 20 years ago, evolving quickly and presenting new challenges to organisations. Unfortunately, many businesses want a qualified and skilled individual to hit the ground running without the need to invest money in training which has led to this talent shortage and competition for fully developed experts.”
Large continues, “AI may take over some aspects of security, and that’s a positive development for businesses. With AI tools, less-experienced security staff can work more efficiently and tackle advanced tasks with greater speed and effectiveness.”
Reduction in Human Error
Human error is one of the biggest reasons phishing attacks succeed, including employees clicking on malicious links or sharing sensitive information. According to Keepnet 82% of breaches involved a human element. Cybercriminals often exploit vulnerabilities in human behaviour, such as urgency or curiosity, which leads to compromised systems.
Ben Large, Ultima’s cybersecurity expert, emphasises that human error often stems from insufficient training. While many companies rely on third-party security courses to educate employees on cybersecurity, Large argues that these courses are less effective in isolation and should be blended with direct training by a cybersecurity expert where real world threats faced by the company are explored and mitigated for the business. “Having an expert teach employees how to identify and report threats is far more efficient than generic online courses alone,” he says.
Large also notes that online IT courses are often left incomplete and sometimes leave staff lacking full understanding. While these training sessions are actively enforced by management and regulation, some employees skip through the material without fully absorbing the lessons and the employee is at greater risk of falling over a phishing attack. He suggests businesses should adopt a progressive training approach, where employees start with basic concepts and advance through increasingly complex topics as they complete each stage of the training.
This is supported by Keepnet who reported cybersecurity awareness training has led to a 70% reduction in security-related risks in 2023, underscoring the value of such programs in safeguarding businesses. Users who have undergone phishing awareness training are 30% less likely to click on phishing links, demonstrating that properly structured training can significantly reduce the likelihood of security breaches caused by human error. However, 45% of employees report receiving no security training from their employers, revealing a major gap in many organisations’ cybersecurity strategies. This lack of training leaves companies more vulnerable to attacks through human error as they are unaware on how to spot a threat. Additionally, 93% of cybersecurity experts agree that an effective defense against cyber threats requires a dual focus on both human and technological factors. This expert consensus further emphasises the need for integrated training programs that combine human-focused security awareness with technical defenses.
These statistics reinforce Large’s recommendation of a progressive, structured training approach, as they demonstrate that consistent and thorough employee education can drastically reduce security risks in the workplace.
With AI-powered security tools, employees can reduce reliance on human judgement by automating the identifying and blocking of suspicious emails or URLs. These tools work by continuously analysing vast amounts of data and recognising patterns that indicate phishing attempts, which humans can miss.
Conclusion
The explosion of phishing attacks in 2024 has left businesses with no choice but to seek advanced solutions while ensuring the business can continue to function with minimal impact. AI has started to prove a game-changer in this domain, offering 24/7 protection, real-time threat analysis, and predictive intelligence that empowers companies to mitigate the risks of phishing attacks before they can cause significant harm.
By leveraging AI, businesses are investing not just in technology but in a long-term, adaptive solution that will grow with their security needs and ensure they stay one step ahead in the ever-evolving world of cybercrime. AI can also be quickly updated on new threats thereby increasing the efficacy of the engine to defend the users and companies from known and unknown threats. Adding the layers of training be it realworld or videos learning add’s additional layers of Armour to the organisation. While these might never be 100% bulletproof they add to the defence in depth approach.
About Ben Large, Cybersecurity Expert at Ultima
Ben Large is a Security Presales Consultant at Ultima, a leading provider of IT solutions and services that help customers achieve their digital transformation goals. With over 20 years of experience in the security domain, Ben helps customers design and implement solutions that protect their assets, data, and reputation from cyber threats.
Ben’s role involves pre-sales engineering, consulting, and training on Ultima’s security offerings, which include MS Sentinel, EDR/MDR, penetration testing, security advice, incident assistance, OSINT, and threat intelligence. Ben also supports tender responses for RFI, RFP across public sector frameworks for government sectors for cyber security.
In addition to Ben’s technical and functional expertise, he is also a thought leader and a cyber security blogger who writes about the latest trends, challenges, and best practices in the security industry. Ben is an evangelist on the business value of security products and articulating their benefits to executive-level decision-makers who believes that security is not only a technical issue, but also a strategic and cultural one, and who strives to help customers achieve a holistic and sustainable security posture.
About Ultima
Called out by Canalys at their annual Forum in Berlin held between 8 – 10th October 2024 as a ‘new breed of AI powered’ IT Services Technology provider, Ultima has specialised in advising and managing technology solutions to the private and public sectors for over 35 years.
Ultima empowers organisations to achieve stronger infrastructure resilience, drive growth, enhance operational efficiency, and embrace digital opportunity to commercial and reputational benefit. With Global Headquarters in the United Kingdom and further offices in Australia, Singapore, the United States, and now South Africa, Ultima delivers world-class solutions and services to private and public sector clients across various industries.
For more information: www.ultima.com