Manufacturing and energy/utilities are two of the top six industries that have the highest percentage of phish-prone employees, a new survey found.
Drawn from a data set of more than six million users across nearly 11,000 organizations, the study conducted by KnowBe4 benchmarks real-world phishing results.
Results show a radical drop of careless clicking to just 13 percent 90 days after initial training and simulated phishing and a steeper drop to two percent after 12 months of combined phishing and computer based training (CBT).
Researchers anonymously tracked users by company size and industry at three points:
1. A baseline phishing security test
2. Results after 90 days of combined CBT and simulated phishing
3. The results after one year of combined CBT and phishing.
“Ninety-eight percent of cyber-attacks rely on social engineering and email phishing is the bad guys’ preferred method,” said Stu Sjouwerman, chief executive at KnowBe4. “Attackers go for the low-hanging fruit: Humans. Humans are the de-facto No. 1 choice for cybercriminals seeking to gain access into an organization. New-school security awareness training which includes frequent simulated social engineering testing is a proven method to dramatically slash an organization’s Phish-prone percentage.”
A key point shown in the survey is one of the biggest issues affecting organizations is still that of the human element.
An end user could have security systems along with a multi-layered approach, but if the message does not come in loud and clear from the chief executive or the board, it will have little chance of succeeding.
Much like safety, a company that develops a strong security culture and understands that keeping systems up and running not only protects the operation, it acts as a business enabler to help manufacturers become more productive and, therefore, more profitable.
“Effectively managing this problem requires commitment and C-level buy-in, but it can be done and isn’t difficult,” Sjouwerman said.