Training makes critical infrastructure employees better at spotting phishing attacks

New research from security behavior change specialist Hoxhunt shows that 66 percent of active participants in security behavior training programs at critical infrastructure organizations detect and report at least one real malicious email attack within a year.

The report -- based on analysis of over 15 million phishing simulations and real email attacks reported in 2022 by 1.6 million people participating in security behavior change programs -- shows the effectiveness of training in making staff more engaged in organizational security.

The act of reporting a simulation, and not skipping or failing it, in critical infrastructure is 61 percent higher than the global average after 12 months of a program being in place.

"Over the past several years, attacks on critical infrastructure have become all too common, leaving fuel pumps and store shelves empty," says Mika Aalto, CEO and co-founder of Hoxhunt. "In response, critical infrastructure organizations and their employees are exponentially more aware and cautious of malicious activity. This higher state of caution has spurred many security and risk leaders to move away from traditional security awareness programs and choose new innovations like Security Behavior Change products to achieve true risk reduction."

The attacks most likely to succeed are spoofed internal communications. While this is the most effective type of phishing attack across most sectors, Hoxhunt's study finds that these types of attacks produce an 11.4 percent higher failure rate in the critical infrastructure sector compared to global averages.

Timothy Morris, chief security advisor at converged endpoint management company Tanium, says:

I remember the security awareness training programs from the last century as if they were yesterday. Mouse pads and coffee mugs that read: 'We can't spell S E C _ R I T Y without U.' It still holds true that humans are the weakest link in cybersecurity. Millions are spent on security tools. Yet, one 'clicker' can circumvent it all.

The report shows that while most companies do train for compliance, say four phish training events per year, those that engage in more frequent training perform better. Plus, it is evident from the report that behavior modification improves with rewards based training versus the more prevalent failure models that are used with phishing software awareness training tools. The adaptive training methods and gamification using AI for their simulations appears to have more positive results.

You can get the full report from the Hoxhunt site.

Image credit: galgogczygabriel/depositphotos.com