Published : 5 years ago, on 11/07/2019

By Javvad Malik, security awareness advocate at KnowBe4

With Gartner expecting global security spend to increase above $120 billion and cybercrime on the rise, cybersecurity vendors are in a strong position to aid organisations with the latest innovative and sophisticated technologies to meet the growing demand for security. Despite this,companies are still floundering when it comes to getting security right as evident in the first half of 2019, with over 40 high level data breaches. These have resulted in at least 4 billion records containing highly sensitive information being exposed. One threat that seems to be at the heart of these incidences is phishing. Evidently, something is not quite right.

Javvad Malik

According to Verizon’s 2019 Data Breach Investigations Report, phishing was the top threat in successful breaches that were linked to social engineering and malware attacks. Even with security technologies in place, hackers are still successfully avoiding defences by reverting to using ingenious phishing and social engineering methods that target what is often considered the weakest link in security – humans. Whether it be over the phone, duping an individual via email or another creative outreach method, there are numerous ways hackers can extract critical information from unsuspecting staff members.

Which industry struggles most?

When analysing the risk posed to a particular sector, research found there was an increase of 2.6 percent in 2019 to 30 percent across all industries compared to 2018. This was done by measuring the organisation’s Phish-prone percentage (PPP) which would quantify the likelihood of a breach from a phishing attack that targeted the workforce. Although there was a slight uptick in overall risk to all industries, there were some standout stats when examining small, medium and large companies. For instance, across small and mid-sized organisations, those in construction were the most phish-prone, ranking in at 38 percent and 37 percent respectively. Some may be surprised by construction leading the pack, but when you consider those within this industry handle client data or confidential project information, intellectual property, subcontractor data or financials and even employee data including health data, it is understandable why these businesses are being targeted the most.

When investigating large companies (1,000+ employees), the hospitality industry had 48 PPP and was found to be most prone to falling victim to a phishing scam.Those within hospitality have had to quickly come to terms with the disruptive nature of cyberattacks as in the past decade high profile breaches have struck major enterprises such as Hilton, Hyatt, Marriott International and the travel trade organisation Abta.

Organisations that are mid-sized and operated within the banking and financial services industries were slightly higher than the baseline average with PPP’s at 31 and 32 respectively. Given the substantial amount of sensitive personal and financial information that passes through this sector, cybercriminals are naturally going to be drawn to it. No wonder the UK’s Financial Conduct Authority revealed the number of cyber-incidents rose by more than 1000% in 2018.

On the other hand, staff working in transportation were found to be the least susceptible and achieved the lowest PPP with 16 percent. Yet, this is still a significant number when you consider how many users in a larger organisation could put the company at risk by unknowingly clicking a fraudulent link.

The Human firewall

It is often preached that in order to build a strong enough defence against phishing attacks, organisations need to start from within. There is an element of truth in this, but the strength of this defence depends entirely on the tactics and strategies used when training employees. To radically reduce vulnerabilities being disclosed and change end-user behaviour, the right testing and training needs to take place. This begins with a baseline test across the entire business which will give business leaders a PPP for the workforce that can then be used as an indicator to measure against future tests. Depending on the PPP percentage comes staff learning exerciseswhich involve on-demand, interactive and engaging computer-based training. By doing away with the old and archaic PowerPoint slides and incorporating engaging videos and awareness modules,businesses will see an increase in both attention and retention.

Once the initial teaching has been conducted, it’s time to test the workforce again by simulating actual attack methods to mimic real-world threats. This helps train the mindset to create new habits while reinforcing what was learned previously. Once the results from the replicated tests are calculated, business leaders will then have a clear idea of how their employees have responded to the training and the fake phishing scams. Without this benchmark, organisations will forever be at risk.This new-school approach aims to improve overall security through good training in a rapid time frame and results can be seen in as little as three months. Companies that adopted this approach saw the PPP drop in 90 days from an average of 30 percent to 15 percent. This fell further to two percent after 12 months of continued CBT and phishing training showing the effectiveness of this new teaching.

Once organisations gain a clear understanding of how they and their employees stack up in terms of phishing awareness, the path to making them an efficient last line of defence or a ‘human firewall’, can truly begin. In the end, every business, regardless of its size and industry, is vulnerable to social engineering attacks as each individual staff member is seen as a possible entry point for hackers. Therefore, its high time businesses began arming the workforce with the necessary tools, knowledge and training material to help them avoid putting the company in potential jeopardy.