Report reveals how cyber attacks target organisations depending on size
A recent Threat Spotlight report from Barracuda has highlighted a significant difference in the types of email attacks targeted at larger and smaller companies.
According to the findings, organisations with several thousand employees or more are significantly more likely to experience lateral phishing attacks. These attacks involve sending malicious emails within the organisation from a compromised internal account.
The report reveals that lateral phishing accounts for approximately 42% of targeted email attacks against organisations with 2,000 or more employees. In contrast, only about 2% of such attacks are directed at companies with up to 100 employees. This data was gathered from an analysis of targeted email attacks conducted between early June 2023 and the end of May 2024.
Conversely, the findings indicate that smaller companies are primarily targeted by external phishing attacks. These types of attacks comprise 71% of all email threats directed at smaller businesses over the 12-month period, compared to just 41% for the largest firms.
Additionally, the report notes that smaller companies experience approximately three times as many extortion attacks as their larger counterparts. Extortion attacks made up 7% of targeted incidents for the smallest businesses, while only 2% of such attacks were reported at companies with 2,000 or more employees.
Regarding business email compromise (BEC) and conversation hijacking, the prevalence of these attack types remained fairly consistent across organisations of varying sizes.
Mark Lukie, Director of Solution Architects (APAC) at Barracuda Networks, commented on the findings: "All companies, regardless of their size, are vulnerable to email threats, but they are vulnerable in different ways."
"Larger companies, with many mailboxes and employees, offer attackers more potential entry points, multiple communication channels to disseminate malicious messages across the business, and employees who are likely to trust email messages that appear to come from within the organisation, even if the sender is unfamiliar to them."
"Smaller companies, on the other hand, are less likely to have layered security in place and more likely to have misconfigured email filters due to a lack of in-house skills and resources," Lukie concludes.
Barracuda's recommendations for combating these threats include implementing regular security awareness training for employees, which should encompass lateral phishing to ensure staff can easily identify suspicious emails. The company also advises a reliance on multi-layered, AI-powered defences to detect and mitigate advanced attacks and minimise their impact. For smaller companies, Barracuda suggests the consideration of managed service providers to bring in additional expertise and support for fortifying their security environment against various threats.