Operator error is often blamed as the weak link in a company’s cyber armor. A new, expansive study by security awareness firm KnowBe4 simultaneously offers more evidence for that claim while making a case for security training.
More than one in four employees are tempted to click on a malicious link or open a bogus email, KnowBe4 found in research conducted with some six million users across 11,000 small-, medium- and large-sized organizations in 12 industries and services. Insurance and non-profit employees are the main culprits: More than 30 percent of employees in each of those industries were most often duped by phishing attacks, the study uncovered.
User Training: Fewer Phishing Attack Victims?
KnowBe4 tested workers on their vulnerability to phishing scams before awareness training, again after 90 days of initial training and simulated phishing, and then after one year of training. On average for the entire study, 27 percent of users clicked on a bad email or link at the outset of the investigation.
However, after 90 days of training and simulated phishing, the percentage of victims fell to 13 percent in small and large outfits and 16 percent in mid-sized organizations. As one might expect, after a year of training, the figures dipped to about two percent.
Small and mid-sized insurance companies had the highest percentage of “phish-prone” employees (the percentage that clicked on a link or opened an infected attachment during testing) at 35 and 33 percent, respectively, while non-profits led in large organizations of 1,000 or more employees at about 31 percent. Large business services organizations had the lowest phish-prone benchmark at 19 percent.
By industry, insurance had the highest phishing clicks at roughly 33 percent of employees, followed by manufacturing at 31 percent, technology at 30 percent and non-profits at 29.9 percent. Of note, government ranked the lowest in phishing vulnerability at 25 percent.
Here are the full rankings by industry for baseline phish-prone percentages:
- Insurance 32.7%
- Manufacturing 31%
- Technology 30.1%
- Not for Profit 29.9%
- Retail & Wholesale 28%
- Energy & Utilities 27.9%
- Healthcare & Pharma 27.8%
- Other: 27.4%
- Education 27.2%
- Business Services 26.7%
- Financial Services 26.3%
- Government 25.1%
Human Error: Still the Weakest Link
“Ninety-eight percent of cyber-attacks rely on social engineering and email phishing is the bad guys’ preferred method,” said Stu Sjouwerman, CEO of KnowBe4. “Attackers go for the low-hanging fruit: humans. Humans are the de-facto No. 1 choice for cyber criminals seeking to gain access into an organization. Effectively managing this problem requires commitment and C-level buy-in, but it can be done and isn’t difficult.”
Last October, KnowBe4 landed $30 million in Series B financing bringing its total haul to $44 million. The seven-year old company competes with PhishMe and Wombat in the security training market.
