A new Phishing by Industry Benchmarking Report showed that giving security awareness training to the employees considerably lowers risks to phishing attacks. KnowBe4 conducted the study to find out how helpful security awareness training is at lowering risks to phishing attacks. Data from 23.4 million simulated phishing emails sent to over 9.5 million users belonging to 19 industries and 30,000 organizations was analyzed. The organizations chosen were 22,558 small companies having 1-249 workers, 5,876 mid-sized companies having 250 to 999 workers, and 1,709 large companies having 1,000 and up workers.
Based on the 2022 Verizon Data Breach Investigations Report (DBIR), 82% of the data breaches that happened in 2021 involved a human factor, which confirms that people have a big part in security cases and data breaches. Cyber attackers continue to focus on the human factor since it offers a quick way of getting access to company systems, and one of the primary ways that workers are targeted is via phishing, which is increasing year over year.
Technology is available to prevent phishing attacks, and although products like spam filters, antivirus application, and web filters work well and will prevent a considerable number of threats, a few threats will circumvent those defenses and will reach the workers. A lot of companies are not able to invest sufficiently in security awareness training and involvement, though it is just as essential as technology.
KnowBe4 set a standard against which the impact of security awareness training can be assessed, which the organization refers to as the phish-prone percentage (PPP). The standard PPP is the percent of workers who clicked on simulated phishing email messages before they get any security awareness training. Immediately after providing the training, after 90 days and after 12 months, the PPP was recomputed.
Throughout all industries and company sizes, the average standard PPP was 32.4%, this figure is one point more compared to 2021. The standard in small healthcare and pharmaceutical companies (32.5%) was the second worst among all industries, followed by education (32.7%). The PPP was also the second worst in mid-sized companies (36.6%) following the hospitality industry (39.4%), and fourth worst in big companies has a 45% PPP.
The phishing test was done again 90 days after giving the training, the PPP had decreased to 19.7% for small healthcare and pharmaceutical companies, 19.1% for mid-sized companies, and 17.2% at large companies. Percentage declines of 12.8, 17.5, and 27.8 respectively. Throughout all industries, the PPP dropped from 32.4% to 17.6%. These stats obviously show the advantages of giving security awareness training to workers and that training gives a quick return on investment.
The third stage of the study required another phishing test a year after continuous training and the average PPP throughout all industries and company sizes decreased from 32.4% to 5%. The medical care and pharmaceutical industryies noticed the PPP decrease to 4.1% in small companies, 5.1% in mid-sized companies, and 5.9% in big companies. That translates to an 87% betterment in small medical care and pharmaceutical organizations, an 86% development in mid-sized companies, and an 87% enhancement in big companies.
Just like any substantial change, it requires time to break old routines and make new ones. After forming new habits, they turn into the new normal, an element of the company culture, and have an effect on how other people conduct themselves, new hires who turn to other people to see what is socially and culturally appropriate in the company.
KnowBe4 additionally remarked that to be able to positively alter overall security behaviors, the security awareness training services must have a clearly described and conveyed requirement, a solid alignment with company security guidelines, an active link to overall security climate, and complete support of management. With no constant and serious executive support, increasing security awareness inside a company is sure to fail.