Eye-Opening Phishing Research Results Show the Risks of Human Error


Looks like things are getting crazier by the month, right? One of the main things that makes it even worse is bad guys preying on the gullibility and ignorance of your users.

Unfortunately, very few untrained employees can spot a phishing attack. Those that can, are often not provided with a clear process of what to do to circumvent and/or report it. Most organizations rely far too much on just technology to defend their networks and do not leverage the power of a human firewall.

You already know it is bad out there and steadily getting worse. Just one example is that between March and April 2020, IBM saw a 6,000% increase in spam attacks exploiting COVID-19. Bad guys are taking advantage of stress, distraction, and heightened emotions to trick unsuspecting users working from home.

You did not sign up for this, but you are in the trenches of a cold cyber war. However, here are some new research results that shed some light on what you can do about it.

Our KnowBe4 2020 Phishing By Industry Benchmark Report analyzed a data set of over 4 million users across 17,000 organizations with over 9.5 million simulated phishing security tests across 19 industries.

The study focused on three phases:

  1. Baseline Phishing Security Test Results with no prior employee training;
  2. Phishing Security Test Results Within 90 Days of Training; and
  3. Phishing Security Test Results After One Year+ of Ongoing Training.

We found that consistency pays off. A comprehensive security awareness training program for all your employees will help your organization reduce your Phish-prone percentage from an average of 37.9% down to 4.7% in just 12 months.

We also looked at top-clicked phishing email subject lines across social media related subjects, general subjects, and "in the wild" attacks. Recent attacks exploiting Covid-19 held 5 of the top 10 spots, with top honors going to subject lines related to password updates.

The sobering fact is that social engineering attacks are not going away anytime soon. Our research shows that organizations who are not engaging in proactive security awareness training and not conducting phishing simulations are shockingly at risk, with many organizations demonstrating Phish-prone percentages well-above forty percent.

Our international benchmarks show that Europe and Africa are most at risk. Africa's emerging economy and untrained users are very attractive to cyber criminals.

At KnowBe4 we are certain about the following:

  1. Every organization is at serious risk without new-school security awareness training
  2. Any organization can strengthen security through end-user training in as little as 3 months
  3. An effective security awareness training strategy can help accelerate results for all organizations

Ensuring that your employees are on their toes with security top of mind is not only your organizational but also legal responsibility. Do not be a statistic. This is by far the best bang for your security budget.

Sustaining Partners