Phishing Awareness Training Neglect Comes Back to Haunt Businesses
Get Cracking on Phishing Awareness Training or Risk a Phishing Disaster
In a volatile risk atmosphere, nothing has been more of a threat than phishing. This one hub is the starting point for most of today’s most devastating cyberattacks from ransomware to credential compromise. Google has registered 2,145,013 phishing sites as of Jan 17, 2021. This is up from 1,690,000 on Jan 19, 2020 (up 27% over 12 months). That’s not slowing down either. After a banner year for phishing risk in 2020, it was hard to believe that there was any more real estate for phishing to climb. Unfortunately, that wasn’t the case – and companies who slacked on security awareness training during the pandemic are paying the price.
Use our Cybersecurity Risk Protection Checklist to find vulnerabilities before the bad guys do! GET IT>>
Phishing is Still Crushing Records
Phishing is still experiencing triple-digit growth in 2021 – up almost 300% over 2020’s record-breaking numbers in May and June respectively – and companies in every sector are getting hammered with attacks. An astonishing 80% of IT professionals in a recent survey said that their organizations have faced an increase in the number of phishing attacks that they’re combatting in 2021. Unfortunately, more phishing attempts has translated into more phishing attack disasters for many companies. An estimated 74% of respondents in the same survey said that their companies had been successfully phished in the last year.
Phishing attacks against businesses are commonly fueled by dark web data, and there’s plenty for cybercriminals to choose from. A flood of records stolen in past data breaches has made its way to the dark web including an estimated 22 million new records in 2020 alone. Experts had already estimated that 65% of the information on the dark web at the start of 2020 could harm businesses and this influx of stolen information provides abundant fresh fuel for cybercrime, increasing everyone’s risk.
Is your email domain protected against phishing? Are your customers? Find out now with the Graphus Domain Checker. CHECK NOW>>
Security Awareness Training is a Proven Winner
This is important for businesses to remember: the top cause of data breaches is still human beings. Specifically, errors made by employees. It is far too easy for cybercriminals to concoct compelling phishing messages that can fool employees into handing over credentials or opening a ransomware-laden document – 48% of malicious email attachments are Office files. Employees also fear missing out on an important message far more than they fear unleashing malware or falling for a phishing attack. An estimated 45% of employees click emails they consider to be suspicious anyway “just in case it’s important.”
In a survey of responses to phishing simulations, every industry had problems with employees clicking on a phishing email. CyberNews reports that 1 in 3 employees are likely to click the links in phishing emails, and 1 in 8 employees are likely to share information requested in a phishing email. This is especially problematic in some industries. The top 5 industries most at risk for a phishing related cybersecurity incident are:
- Consulting
- Apparel and accessories
- Education
- Technology
- Conglomerates
Phishing resistance and security awareness training is a proven method to mitigate phishing risk. Companies that engage in regular security awareness training that features phishing resistance have up to 70% fewer cybersecurity incidents. But many companies have deprioritized training in the chaotic scramble of the business world in the last year, even as phishing risk climbed and employees who were not trained to work remotely took the plunge. Plus, even if training is happening it’s done in such a desultory way that employees don’t receive enough training on the correct threats. All in all, far too many companies are courting disaster by neglecting training.
Protection from cybercrime danger is easy when you deploy your secret weapon: security-savvy employees! WATCH WEBINAR>>
Training Once Isn’t Enough
The danger to your organization is real and it is growing. The data that we gathered from BullPhish ID users in 2020 paints a very clear, very disturbing picture that organizations need to face: Employees at companies of any size in any industry are prime targets for cybercrime because they will click phishing email. The numbers don’t lie: employees are regularly getting and falling for phishing emails every day. In a recent study of North American staffers, experts discovered that:
- 67% of clickers (13.4% of overall users) submitting their login credentials, also up substantially from 2019, when just 2% submitted their credentials.
- The Public Sector and Transportation sectors struggled the most, posting a click rate of 28.4%.
- The Education and Finance & Insurance sectors performed considerably better than others, with click rates of 11.3% and 14.2%, respectively.
- Users in North America struggled the most with the phishing simulation, posting a 25.5% click rate and an 18% overall credential submission rate. This means that a little over 7 out of every 10 clickers willingly compromised their login data.
- Users in Europe exhibited lower click and submission rates of 17% and 11%, respectively.
A little over 95% of IT professionals who responded to a survey said that their organizations have security awareness and phishing resistance training programs. Those programs can range from high-quality ongoing classes to occasional ad hoc meetings. But a much smaller percentage of those companies are invested in making sure their employees complete their security awareness training. Only 30% of the surveyed pros could say that 80% or more of their company’s employees had completed any formal security awareness training courses. That means that companies understand the benefits of security awareness training but are often challenged in running and delivering it, wasting time and money.
But just running a few training courses for your staffers isn’t enough to foster strong cybersecurity awareness. Making sure that every staffer from the C-Suite to the interns is taking and refreshing training courses regularly is vital to gaining and keeping awareness high and cybersecurity incidents caused by phishing low. In a report from consulting giant Accenture detailing the characteristics of a cyber-resilient organization, researchers placed the ideal number of training courses for employees each year at 11, or just a little under one per month. This prevents courses from becoming rote but still keeps the topic fresh in employees’ minds.
See how to grow your business with a new revenue stream in the time it takes to drink a cup of coffee. LEARN MORE>>
Don’t Make a Cybercriminal’s Job Easier
Many companies are finding that their employees have become easy dupes for cybercriminals, and that’s an enormous risk in a volatile cybercrime landscape where attacks are up across the board. That lack of training and awareness has created phishing problems for many companies. An estimated 34% of survey respondents said that a lack of employee understanding of today’s sophisticated phishing threats was their biggest problem. This disconnect is pronounced in surveys of employees. More than 90% of employees in a cybersecurity awareness survey said that they’re confident in their ability to spot a phishing threat – but only 84% felt that their colleagues could do that too.
In a UK study on phishing simulations, researchers discovered that 40 – 60% of the employees surveyed were likely to open malicious links or attachments at the start of the study. But consistent cybersecurity awareness training made a huge difference in those employees’ behavior. In follow-up testing, after about 6 months of training, the percentage of employees who took the bait in every industry dropped 20% to 25%. Further training produced a steeper drop. After 3 to 6 months more training, the percentage of employees who opened phishing messages dropped to only 10% to 18%.
See how ransomware really works, who gets paid & what’s next in our tell-all Ransomware Exposed! DOWNLOAD IT>>
BullPhish ID Recruits Everyone to Your Security Team
More than 55% of remote workers rely on email as their primary form of communication with their coworkers, but less than 55% of companies engage in regular phishing resistance training. Whether that’s because of perceived challenges in running training or simple neglect, that’s a problem. ID Agent can help.
BullPhish ID is the ideal solution to use for regular phishing resistance training. Our newly revamped security awareness training powerhouse contains everything needed to conduct efficient, effective, painless phishing resistance training that gets the job done at an excellent value. You’ll enjoy:
- Fully customizable training simulation kits including messages, URLs, and attachments
- Videos that can be customized to deliver specialized training
- Pre-made plug-and-play phishing kits for fast deployment
- Training around the latest threats with new kits added monthly
- Simple, clear progress reports that demonstrate the value of training
- Learn more about the new BullPhish ID in this webinar: https://www.idagent.com/resources/relaunch
See how BullPhish ID’s updated features and functions features can help you charge into safety in this video:
Stay off the hook and on the job by avoiding phishing attacks that might carry ransomware with our eBook The Phish Files. GET IT>>
Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!
Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>
See Graphus in action in an on-demand video demo WATCH NOW>>
Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!