Without training one in three users fall for phishing scams
New research finds that, if they haven't received security awareness training, one in three users will likely fall for a phishing or social engineering scam that could put their organization at risk.
The study from awareness training specialist KnowBe4 set out to measure organizations' phish-prone percentage (PPP) and found an initial baseline of 31.4 percent across all industries and sizes.
After just 90 days of computer-based training and simulated phishing testing, however, the average PPP was down to 16.4 percent. And after a year of monthly simulated phishing tests and regular training, the PPP further declined to just 4.8 percent. Across all industries, there's an average 84 percent improvement rate from baseline testing to 12 months of training and testing.
The results are based on a data set of 6.6 million users across 23,400 organizations with over 15.5 million simulated phishing security tests. They show that employees in the energy, utilities and insurance sectors are especially vulnerable.
"In critical industries like energy and utilities, and healthcare and pharmaceuticals where lives can be severely impacted, we found particularly high levels of cybersecurity risk as a result of simulated phishing test failures," says Stu Sjouwerman, CEO of KnowBe4. "This is deeply concerning. Organizations should monitor their risks due to the majority of data breaches originating from social engineering. This data shows us that implementing security awareness training with simulated phishing testing will help to better protect organizations against cyber attacks."
The full report is available from the KnowBe4 site.