Even companies with robust cybersecurity measures, tight data protection mechanisms and large bank accounts experience breaches or hacks and one of the main reasons for that is the human element.
Whether you like to admit it or not, humans aren’t as good at spotting potential risks as they should be, especially when those risks are not immediately clear.
Take phishing for example. While we might know not to click suspicious links, cybercriminals go to the ends of the Earth to make their links look legitimate and this means there is a still a lot of work to do when it comes to educating folks.
Cybersecurity awareness firm KnowBe4 has published its Phishing By Industry Benchmarking Report for 2021 and while we’d encourage IT professionals to dive into the full report here we’re looking at a slice today.
That slice looks at how training and education can improve cybersecurity awareness.
In the first phase of the study a test was initiated from within organisations that hadn’t conducted KnowBe4 training before.
“Users received no warning, and the tests were administered on untrained people going about their regular job duties,” KnowBe4 explains.
From here KnowBe4 measured how many folks clicked dangerous links and assigned a Phish-prone percentage (PPP), or, the average number of employees who are likely to click malicious links.
That average is 31.4 percent which means that, one out of three employees will click dangerous links. This figure is lower than the 37.9 percent average noted in 2020 but it is still too high.
After 90 days of training and simulated phishing security tests, things improve, drastically.
“In those 90 days after completed training events, the average Phish-Prone percentage was cut to almost half at 16.4 percent, consistent with both the 2019 and 2020 studies. The dramatic drop in Phish-Prone percentages was not specific to a certain industry or organization size,” writes KnowBe4.
The third test takes place after a year of training and tests.
After this third phase KnowBe4 found that the PPP dropped to 4.8 percent.
It’s quite clear to see that training and awareness works but it’s important that this training is consistent.
Each week there is a new phishing tactic or strain of malware that needs protection against and conducting training regularly can help employees spot risks they might’ve not seen otherwise.
This is vital for certain sectors where if a cybercriminals hacks in, things can go very badly for a lot of people.
“In critical industries like Energy & Utilities and Healthcare & Pharmaceuticals where lives can be severely impacted, we found particularly high levels of cybersecurity risk as a result of simulated phishing test failures,” explains chief executive officer at KnowBe4, Stu Sjouwerman.
“This is deeply concerning. Organisations should monitor their risks due to the majority of data breaches originating from social engineering. This data shows us that implementing security awareness training with simulated phishing testing will help to better protect organizations against cyber-attacks.”
As mentioned you can download the full report for free here.
[Image – CC 0 Pixabay]