These 7 Big Factors Complicate a Company’s Phishing Risk Calculus
When looking at the cyberattack risks that businesses face today, phishing tops the chart. It’s a problem that also just keeps getting worse – 84% of businesses in a new study said that they were the victims of a successful phishing attack in 2021, a 15% increase over the same 12-month period in 2020. Phishing attacks are also growing more sophisticated thanks in part to abundant dark web data that helps the bad guys shape effective campaigns. In this flood of phishing, it’s critical that employees are aware of phishing threats and able to make the right choices when faced with a suspicious email. Unfortunately, all too often that isn’t the case, leading to a cybersecurity nightmare for their employers.
Is it time to update your security awareness training policy – or create one? These 6 tips can help! DOWNLOAD NOW>>
These 7 Factors Have a Major Impact on Phishing-Related Security
An estimated 65% of insider threat incidents are caused by employee actions around phishing. Understanding the risk factors that can drive good and bad employee decision-making around phishing can help organizations gain a clear picture of their phishing risk.
1. The Permanent X-Factor: Human Error
Human error is the culprit in an estimated 90% of security breaches according to IBM’s X-Force Threat Intelligence Index. Those errors can range from sending a coworker a file they’re not authorized to see to downloading a malicious attachment from a phishing email. One-fifth of employees admit to making mistakes like falling for phishing tricks that caused them to interact with malicious messages at work – and these seven risk factors can impact employee behavior around phishing.
2. The Lure of Social Engineering Traps
Just like any other business, cybercriminal gangs are always looking for ways to maximize efficiency, and phishing fits the bill. It’s the cheapest, easiest and most effective way to penetrate a company’s security. Of course, it’s also something that evolves just like any other business process, with changing techniques, increasing sophistication and new traps making it hard for companies to keep up. It’s also hard for everyone else to keep up – 97% of employees are unable to spot a sophisticated phishing email. Clicking on a phishing email is the most likely way that an employee will cause a security breach. In a Stanford University study, researchers determined:
- One in four employees (25%) said they have clicked on a phishing email at work
- Nearly 45% of respondents cited distraction as the top reason for falling for a phishing scam
- Around 50% of employees are sure that they have made an error that led to a security incident
Can you spot a phishing message? This infographic points out red flags to watch for to sniff them out! DOWNLOAD IT>>
3. Careless Handling of Attachments
The bane of IT teams, employees are regularly faced with convincing phishing schemes that utilize attachments. An estimated 48% of malicious email attachments are disguised as a routine file, running the gamut from a termination notice to a list of charitable resources. This was recently illustrated by a flood of phishing around charitable relief for Ukrainians in the wake of the Russian invasion. Microsoft Office formats like Word, PowerPoint and Excel are popular file extensions for cybercriminals to use when transmitting malware via email, accounting for 38% of phishing attacks. The next most popular delivery method: archived files such as .zip and .jar, which account for about 37% of malicious transmissions.
4. Irregular or Non-Existent Security Awareness Training
More than half of businesses do not engage in regular security awareness training, and that’s a huge mistake that costs them in the end. In a UK study on companies running phishing simulations, researchers discovered that 40 – 60% of untrained employees are likely to open malicious links or attachments. After about 6 months of training that number dropped to 20% to 25%. After 3 to 6 months more training, the percentage of employees who opened phishing messages plummeted to only 10% to 18%. Accenture places the ideal number of training courses for employees each year at 11, or just a little under one per month.
5. A Lack of Caution About Clicking Links
Far too many employees are not Judicious about clicking links in email messages. CyberNews reports that 1 in 3 employees are likely to click the links in phishing emails, and 1 in 8 employees are likely to share information requested in a phishing email. Even more alarmingly, 67% of the employees tested in a phishing simulation who clicked through to the dummy malicious website submitted their login credentials, up from a scant 2% in 2019.
- In a phishing simulation, users in North America struggled the most, posting a 25.5% click rate and an 18% overall credential submission rate.
- This means that a little over 7 out of every 10 clickers willingly compromised their logins.
- Users in Europe exhibited lower click and submission rates of 17% and 11%, respectively.
Get a step-by-step guide to building an effective security and compliance awareness training program. GET GUIDE>>
6. A Weak Security Culture
The kind of negligence that helps mistakes flourish can arise from a company having a bad security culture. Security is everyone’s job, but not everyone understands that. 45% of respondents in a HIPAA Journal survey said that they don’t need to worry about cybersecurity safeguards because they don’t work in the IT department. That’s a disaster waiting to happen. That ignorance can be compounded by leadership attitudes toward security. In a CNBC survey, 56% of SMB owners said they are “not very concerned” about being the victim of a cyberattack in the next 12 months, and 24% said they were “not concerned at all.”
7. Fear of Repercussions
No company benefits when employees are kept in the dark about security or made to think of it as a big, complicated, dangerous bugbear. Besides, every tech team would rather learn about a security incident when it’s just a little difficulty, not when it has snowballed into a giant disaster. But far too often, employees behave dangerously because they’re afraid of asking for help or clarification, and that’s no help to anyone.
- Just under 30% of employees fail to report cybersecurity mistakes out of fear.
- More than 40% of employees don’t report potential phishing out of fear of getting in trouble.
- About 45% of employees click emails they consider to be suspicious “just in case it’s important.”
The right dark web monitoring could be the difference between security success or failure. This checklist helps you find it GET IT>>
Build Strong Defenses Against Risks Like These
ID Agent offers two powerhouse solutions that can help organizations lower their risk and build strong defenses against today’s biggest cybercrime risks by educating employees and closing security gaps, setting them up for security success.
Security and Compliance Awareness Training
BullPhish ID is the ideal affordable security and compliance awareness training solution for companies of any size.
- Gain access to a huge library of security and compliance training videos in 8 languages with quizzes to measure retention – and 4 new video lessons are added a month
- Run phishing simulations easily using plug-and-play or customizable phishing training campaign kits with new kits released regularly
- Automate the delivery of training and the generation and delivery of reports to stakeholders
Dark Web Monitoring
Dark Web ID makes it easy for companies to reduce their dark web credential compromise risk.
- Uncover all of an organization’s exposed credentials in minutes
- Gain peace of mind against credential exposure with 24/7/365 monitoring using real-time, analyst validated data
- Enjoy fast alerts to compromises of business and personal credentials, including domains, IP addresses and email addresses
Schedule your demo of Dark Web ID and BullPhish ID now.
Don’t just take our word for it, see what these customers have to say: https://www.idagent.com/case-studies/
Go inside nation-state cybercrime to get the facts and learn to keep organizations safe from trouble! GET EBOOK>>
Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!
Is your password compromised? Find out in seconds!
Book your demo of Dark Web ID, BullPhish ID and Passly now!