Phishing has been with us for many years. Just as almost no one falls for the Nigerian inheritance email scam any longer (well, for the most part), you would expect that phishing was ready to fade into the security threat sunset. But the KnowBe4 Phishing by Industry Benchmarking Report 2020 paints a very different picture.
The company surveyed and analyzed a data set of more than four million users across 17,000 organizations, and almost ten million simulated phishing security tests spanning 19 industries. Each organization and each industry were given a phish-prone percentage (PPP) number. This effectively measures the number of employees clicking on a simulated phishing email link or infected attachment. The higher the score, the greater the risk.
The average score across all industries and organizational sizes came out at 37.9%. In the small organization category, Healthcare & Pharmaceutical had the highest score at 44.7%, then Education at 41.1% and Manufacturing at 40.9%. In the mid-sized range, Construction companies were by far the worst at 49.7%, then healthcare & pharmaceuticals at 49.2% and business services at 43.5%. But scores worsened in the top category. In organizations with more than 1,000 staffers, technology companies scored a shocking 55.9%. Who scored lowest? Government organizations recorded a 26% PPP. But that is hardly impressive. It still indicates the presence of a large number of gullible personnel. But at least it is half what the techies scored.
Security awareness training works, but…
The survey took things two stages further. It measured the effectiveness of security awareness training on these numbers after three months and after one year. KnowBe4 provides this training to keep organizations from falling victim to phishing, online fraud and other threats. After three months, the average dropped from 37.9% to 14.1%. After one year, the average fell to 4.7%. Small organizations did best after one year – down to 3.9%. Large organizations, on the other hand, averaged 5.8%.
What these results point out is that the concept of a perfect, fool-proof, impenetrable and secure environment is a myth. Organizations have become too reliant on technology to defend their networks while neglecting the human element. Many spend a fortune on the latest and greatest tools and technologies only for personnel to fall victim to basic social engineering mischief.
Yes, employees may be aware of old and time-worn phishing gambits. They don’t click on those. But again and again, they fail to spot emails pretending to be from the IT department, FedEx, HR or the CEO. And many can’t resist clicking on a malicious link purporting to tell the juicy details of the latest celebrity death. As the bad guys continually revise and update their approaches, the human element remains the weak link. Investing, therefore, in ongoing training to keep personnel on their toes is a smart way to reduce the risk of such incursions. And ongoing is the key: security training doesn’t work as a once-a-year test. It needs to occur often for the message to stay fresh.