Written by: Jay H.
Phishing scams are incredibly lucrative for scammers, who manage to rob victims of billions each year. A new report from cybersecurity company KnowBe4 demonstrates just how effective these campaigns are, finding that one-in-three untrained users were likely to fall for phishing scams.
Who’s taking the bait?
KnowBe4 used what it calls a “phish-prone percentage” (PPP) to determine how many of a company’s employees are likely to fall for social engineering scams.
The report analyzed businesses in various industries and found that, on average, 31.4 percent of employees were susceptible to these attacks. However, the number varied greatly depending on industry and size.
For small organizations, healthcare and pharmaceutical companies were the most vulnerable, with 34 percent of employees likely to fall victim. Next, education and non-profit both had a PPP of over 30 percent.
In the medium business category, hospitality businesses were at the most risk, with a PPP of 42.3 percent. Next, energy & utilities and healthcare & pharmaceuticals had extremely close PPP ratings, at 35.7 percent and 35.6 percent respectively.
Finally, large organizations were the most susceptible to phishing attacks. Over half of employees in energy & utilities and insurance companies were likely to fall victim to phishing campaigns. Next, 47.5 percent of users in large banking corporations were susceptible to attacks.
These statistics “[revealed] the bleak truth that untrained users are failing as an organization’s last line of defense against phishing attack,” said the authors.
KnowBe4 concludes that new-school security awareness training is the only way organizations can effectively strengthen their defenses against phishing campaigns. Given that the baseline PPP is 31.4 percent, a third of an organization’s workforce could be putting them at risk at any given time.
Furthermore, KnowBe4 pointed out that a good training program can strengthen end-user security in as little as three months. “The power of a good training program is to set up a consistent cadence of simulated phishing and social engineering education in a rapid timeframe,” the authors said.
Next, KnowBe4 recommends setting goals and objectives before rolling out training. Doing this will set organizations up for success and allow them to measure their results.
There were also several recommendations for executives.
First, executives must lead the charge through role modeling, including participating in the same security awareness training that the rest of their employees are expected to complete.
KnowBe4 also recommends aligning with a vendor for security training that can provide you with multiple flavours, versions, and varieties of training. “Forcing your audience into a singular learning style limits the experience, material consumption, and overall retention,” the authors concluded.
Organizations focusing on improving cybersecurity should also think like marketers and add frequent and relevant messaging in supporting materials, such as posters. Doing this reminds employees that cybersecurity is a part of the job.
It’s also important to define objectives, simulate phishing attacks, increase training frequency, and collect meaningful data, KnowBe4 said.
Strengthen Your Weakest Link
Every company is at risk of cybersecurity attacks. In fact, it’s not a matter of if bad actors will attack, but when. Are your organization’s cybersecurity defenses fortified?
Comments are closed.