As phishing attacks become increasingly sophisticated, users are adapting to this cyber threat. Only seven years ago, the user click rate for phishing emails was a whopping 25%, a figure which has fallen dramatically to around 3%. From these figures alone, it looks as though the threat has decreased, yet we also see how the cost of these attacks continues to grow.

The frequency with which people utilise electronic communications in 2019 is in part responsible for this fall in user click-rate. If your modern job, for example, requires you to sift through one hundred emails a day, it’s expected that your spider senses are going to become more attuned to nefarious intent when it appears in your inbox.

As the user becomes savvier, the scammers require not only a bigger net to catch their prey, but also more refined methods. Though the likelihood of users making erroneous judgements has fallen, the scary truth that 32% of all breaches still involve phishing, should have employers and security officers asking: how do we train our employees to avoid phishing attacks?

Industry Vulnerability

When it comes to different industries, each have something to lose from an effective phishing attack. Whether it is intellectual property, confidential data or financial loss, there are no businesses or organisations that are immune to the threat scammers pose; though it is also true that no industry performs equally well at identifying attacks.

The latest research suggests that there is a substantial difference in the ability of different industries to defend against phishing attacks. Retail being the most vigilant, with a mere 1.3% click-rate; we can perhaps attribute some of this relative success to the reasonable assumption that for scammers, retail represents a relatively minimal opportunity for returns and thus, not a highly regarded target. Alongside retail, we also have finance (2.04%) and healthcare (2.13%), each perhaps industries that place an understandable high level of importance upon information security.

On the other end of the spectrum we have the education industry topping the leader board with a 2% higher than average phishing click-rate of just under 5% – a finding which should have education administrators very nervous about their chances of avoiding major future breaches.

Financially Motivated Attacks

Though education as an industry ranks 5th in terms of FMSE incidents (financially motivated social engineering), the potential damage that can be inflicted by a phishing attack is particularly significant if we also appreciate the sensitivity of educational institutions’ data.

With a rise of 69% in cyber-attacks against UK schools between 2017 and 2018, 20% of all educational institutions have already been targeted for attack. With the average cost of a cyber-attack now exceeding £180,000, it is definitely time for organisations to take on the challenge of active defence.

To meaningfully mitigate security risks within an organisation, we must first understand the origins of threat. Firstly, 34% of all breaches involve internal actors. Secondly, of these actors, 64% contribute to attacks through careless or negligent behaviour. Thirdly, when taking into consideration that 77% of all UK workers have never received any form of information security training from their employer – we can understand how the costs of these phishing attacks continues to increase.

Reducing Risk

Phishing simulations are a method by which an organisation sends its own employees suspicious emails to both measure user interaction, as well as educate as to the risks of accidentally clicking on dangerous emails, links and attachments. Though simulated phishing attacks have been shown to improve awareness and phishing avoidance, it is not the ‘fix-all’ solution to information security concerns. 

Despite not being a ‘magic-bullet’, a robust simulated phishing campaign can be an integral part of the overall security awareness training initiative. Rather than being used as a metric by which to punish employees, having access to quantifiable information regarding potential vulnerabilities allows an organisation to begin the process of creating an internal secure culture.

Launching a simulated phishing attack campaign could be the first step in helping to safeguard a secure culture, though it is certainly not the last. Given the choice between information security training, and an information secure culture, organisations would be amiss to think that mere compliance will help teams absorb and imbibe a mentality and culture that ensures meaningful change, and meaningful culture.