ACCORDING TO VERIZON'S 2019 DATA BREACH INVESTIGATION REPORT, PHISHING WAS THE #1 THREAT ACTION USED IN SUCCESSFUL BREACHES LINKED TO SOCIAL ENGINEERING AND MALWARE ATTACKS.
Every security leader faces the same conundrum: even as they increase their investment in sophisticated security orchestration, cybercrime continues to rise. Often security seems to be a race between effective technology and clever attack methodologies. Yet there’s an overlooked layer that can radically reduce an organization’s vulnerability: security awareness training and frequent simulated social engineering testing.
According to Verizon’s 2019 Data Breach Investigation Report, phishing was the #1 threat action used in successful breaches linked to social engineering and malware attacks. These criminals successfully evade an organization’s security controls by using clever phishing and social engineering tactics that often rely on employee naivete. Emails, phone calls and other outreach methods are designed to persuade staff to take steps that provide criminals with access to company data and funds.
Each organization’s employee susceptibility to these phishing attacks is known as their Phish-prone™ percentage (PPP). By translating their risk into measurable terms, leaders can quantify their breach likelihood and adopt training that reduces their human attack surface.
UNDERSTANDING RISK BY INDUSTRY
An organization’s PPP indicates how many of their employees are likely to fall for a social engineering or phishing scam. These are the employees who might be fooled into opening a file infected with malware or transferring company funds to a fraudulent offshore bank account. A high PPP indicates greater risk, as it points to a higher number of staff who typically fall for these scams. A low PPP is optimal, as it indicates the staff is security-savvy and understands how to recognize and shut down such attempts.
The overall Phish-prone percentage offers even more value when placed in context. After seeing their number, many leaders ask questions such as “How does my organization compare to others?” and “What can we do to reduce our Phish-prone percentage?”
KnowBe4, the world’s largest Security Awareness Training and Simulated Phishing platform, has helped organizations reduce their vulnerability by training their staff to recognize and respond appropriately to common scams. To help companies evaluate their PPP and understand the implications of their ranking, KnowBe4 conducts an annual study to provide definitive phish-prone benchmarking across industries. Categorized by industry vertical, organization size, and the amount or frequency of security awareness training, the study reveals patterns that can light the way to a stronger and safer future.
2019 PHISHING BY INDUSTRY BENCHMARKING STUDY
Every company wants an answer to the essential question: “How do I compare with others who look like me?” To provide a nuanced and accurate answer, the 2019 Phishing By Industry Benchmarking Study analyzed a data set that included nearly nine million users across 18,000 organizations with over 20 million simulated phishing security tests across nineteen different industries.
All 18,000 customers were using the KnowBe4 platform according to the recommended best practices for a new-school security awareness approach:
Running an initial baseline test
Training their users through realistic on-demand, interactive training
Frequent simulated testing at least once a month to reinforce the training
New to the 2019 Report are seven additional industries including Banking, Construction, Consulting, Consumer Services, Hospitality, Legal, and Transportation. All organizations were broken down by industry type and size. To calculate each organization’s Phish-prone percentage, we measured the number of employees that clicked a simulated phishing email link or opened an infected attachment during a testing campaign using the KnowBe4 platform.
Analyzing Training Impact
To understand the impact of security awareness training, we measured outcomes at three touchpoints to answer the following questions:
Phase One: If you haven’t trained your users and you send a phishing attack, what is the resulting PPP? To do this, we monitored employee susceptibility to an initial baseline simulated phishing security test.
Phase Two: What is the initial resulting PPP across industries and sizes after training and monthly simulated phishing tests? We answered this question by measuring phish-prone behavior after 90 days of training and phishing security tests.
Phase Three: What is the final resulting PPP across industries and sizes after continued training and monthly simulated phishing tests? To answer this, we measured security awareness skills after 12 months of training and phishing security tests.
Who’s at Risk: Ranking Industry Vulnerability
The results across the nine million users highlights a drastic predicament for organizations that don’t feel the need or choose not to invest in new-school security awareness training which includes phishing security tests. The Phish-prone percentage data shows that no single industry across all-sized organizations is doing a good job at recognizing the cybercriminals phishing and social engineering tactics. When users have not been tested or trained, the initial baseline phishing security tests show how likely users in these industries are to fall victim to a phishing scam and put their companies at risk for potential compromise.
The overall PPP average across all industries and size organizations was 29.6%, up 2.6% from 2018. Trends varied across different industries, revealing the bleak truth that untrained users are failing as an organization’s last line of defense against phishing attacks.
Specific trends show industry Phish-prone percentages increased across all industries at initial baseline testing and include:
Across small and mid-size organization categories, Construction companies had the highest percentage of “Phish-prone” employees, ranking at 37.9 percent and 37.1 percent respectively.
While small and mid-sized Insurance companies were displaced by Construction companies this year, unfortunately their Phish-prone percentages increased from 35.5 percent and 33.3 percent to 36.1 percent and 34.9 percent respectively.
For the large organizations of 1,000 or more employees, new to the 2019 Report, Hospitality companies displaced Not-for-Profit companies and took the lead with an astounding 48.4 percent.
All three industries with 1,000 + employees from 2018 were displaced this year including Insurance and Technology, being replaced by Construction and Energy & Utilities companies in the large organization category ranking high at 36.7 percent and 34.4 percent respectively.
The winner of the lowest Phish-prone benchmark was large Transportation organizations at 16 percent, another new industry included in the 2019 Report, which is still a significant number when considering how many users in a larger organization could put your organization in jeopardy if they click on a phishing link.
Download the rest of the report here.