The most common security issue for businesses probably isn’t that big a surprise

Cybersecurity researchers from ESET discovered that phishing has been the biggest incident type for companies of all shapes and sizes over the past four years.

Of all the incidents reported to the ICO’s Data security incident trends report, phishing was by far the most-reported, with almost 2,700 incidents (2,694), roughly twice as many as second-placed unauthorized access. 

With just above 1,000 incidents, ransomware was the third most reported incident type, followed by verbal disclosure of personal data, and hardware/software misconfiguration.

In these past couple of years, the number of reported cybersecurity incidents soared, from 573 reports in Q1 2019, to 714 in Q2 2022. Most incidents reported – 737 – occurred in Q2 2020, which ESET speculates might have been due to Covid-19 restrictions forcing people to work remotely.

All sectors have been hit with cyberattacks, but the media industry seems to have had it worst. It had a relatively low number of data security incidents overall, ESET says, but it also had the highest share of cyber incidents. 

Retail and Manufacture had the highest number of cyber incidents overall at 943, followed by General Business (858) and Finance, Insurance and Credit (788).  

Analyzing cyber-incidents overall, ‘Data emailed to incorrect recipient’ is the most common one (3,719 since Q1 of 2019/20), followed by ‘Data posted or faxed to incorrect recipient’ and ‘Loss/theft of paperwork or data left in insecure location’ (2,806 and 1,931 incidents).

With attackers getting more proficient and using better tactics, it’s never been so important to verify authentic emails, says Jake Moore, Global Cybersecurity Advisor at ESET. 

“Criminals continue to use emails as their number one attack vector of choice in the hope that they can install malware or take over email accounts, masquerading as someone known to the victim to siphon off sensitive information. 

Having safeguards in place, such as a firewall, is a must, he continues.

“Organizations must ensure they are prepared for phishing emails by having robust controls in place such as spam filters and multi-factor authentication, however, user awareness and training remain the best defense against these increasing attacks.”