Phishing Simulation for Employees
As phishing attacks become increasingly sophisticated, users are adapting to this cyber threat. Only seven years ago, the user click rate for phishing emails was a whopping 25%, a figure which has fallen dramatically to around 3%. From these figures alone, it looks as though the threat has decreased, yet we also see how the cost of these attacks continues to grow.
The frequency with which people utilise electronic communications in 2019 is in part responsible for this fall in user click-rate. If your modern job, for example, requires you to sift through one hundred emails a day, it’s expected that your spider senses are going to become more attuned to nefarious intent when it appears in your inbox.
As the user becomes savvier, the scammers require not only a bigger net to catch their prey, but also more refined methods. Though the likelihood of users making erroneous judgements has fallen, the scary truth that 32% of all breaches still involve phishing, should have employers and security officers asking: how do we train our employees to avoid phishing attacks?
When it comes to different industries, each have something to lose from an effective phishing attack. Whether it is intellectual property, confidential data or financial loss, there are no businesses or organisations that are immune to the threat scammers pose; though it is also true that no industry performs equally well at identifying attacks.
The latest research suggests that there is a substantial difference in the ability of different industries to defend against phishing attacks. Retail being the most vigilant, with a mere 1.3% click-rate; we can perhaps attribute some of this relative success to the reasonable assumption that for scammers, retail represents a relatively minimal opportunity for returns and thus, not a highly regarded target. Alongside retail, we also have finance (2.04%) and healthcare (2.13%), each perhaps industries that place an understandable high level of importance upon information security.
On the other end of the spectrum we have the education industry topping the leader board with a 2% higher than average phishing click-rate of just under 5% - a finding which should have education administrators very nervous about their chances of avoiding major future breaches.
Financially Motivated Attacks
Though education as an industry ranks 5th in terms of FMSE incidents (financially motivated social engineering), the potential damage that can be inflicted by a phishing attack is particularly significant if we also appreciate the sensitivity of educational institutions’ data.
With a rise of 69% in cyber-attacks against UK schools between 2017 and 2018, 20% of all educational institutions have already been targeted for attack. With the average cost of a cyber-attack now exceeding £180,000, it is definitely time for organisations to take on the challenge of active defence.
To meaningfully mitigate security risks within an organisation, we must first understand the origins of threat. Firstly, 34% of all breaches involve internal actors. Secondly, of these actors, 64% contribute to attacks through careless or negligent behaviour. Thirdly, when taking into consideration that 77% of all UK workers have never received any form of information security training from their employer – we can understand how the costs of these phishing attacks continues to increase.
Phishing simulations are a method by which an organisation sends its own employees suspicious emails to both measure user interaction, as well as educate as to the risks of accidentally clicking on dangerous emails, links and attachments. Though simulated phishing attacks have been shown to improve awareness and phishing avoidance, it is not the ‘fix-all’ solution to information security concerns.
Despite not being a ‘magic-bullet’, a robust simulated phishing campaign can be an integral part of the overall security awareness training initiative. Rather than being used as a metric by which to punish employees, having access to quantifiable information regarding potential vulnerabilities allows an organisation to begin the process of creating an internal secure culture.
Launching a phishing simulation campaign could be the first step in helping to safeguard a secure culture, though it is certainly not the last. Given the choice between cyber awareness training, and an information secure culture, organisations would be amiss to think that mere compliance will help teams absorb and imbibe a mentality and culture that ensures meaningful change, and meaningful culture.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
The CIA triad consists of three principles upon which professionals typically focus. Blog by Information Security awareness training provider Hut Six.
Will Certificate Transparency Help to Rebuild Confidence in Certificate Authorities? Blog by information security training provider Hut Six Security
In 2018 it was discovered thousands of websites had been hijacked by crypto-mining code, known as a "Cryptojacking" attack. Including UK Gov and ICO websites.
Spear Phishing Part 3: With 50% of receivers clicking on an attachment or link, users are 10 times more likely to make this mistake than with generic phishing emails.
Can the introduction of the confirmation of payee requirement reduce APP scams? Blog by cybersecurity awareness training provider Hut Six.
Spear phishing is one of the most effective ways of gaining sensitive information. These highly targeted attacks use your personal information against you.
Human Rights and the Growing Surveillance Economy: Surveillance capitalism can mean your information being sold to the highest bidder. Blog by Hut Six
HP firmware issue: The technology manufacturer Hewlett Packard has announced a firmware issue that could affect thousands of enterprise users. SSDs sold by the company are at risk.
How is a spear-phishing email created? Cybersecurity blog from information security awareness training provider Hut Six Security.
How is it that information security and cyber security differ, and why is it that people frequently use these terms interchangeably?