IT staff are more likely to click on phishing links and are often worse at reporting threats than their peers elsewhere in the organization, according to new research from F-Secure.
The security vendor tested over 82,000 participants from four organizations to compile its study, To Click or Not to Click: What We Learned from Phishing 80,000 People. They were exposed to several tactics commonly used by cyber-criminals to steal data, deploy malware and conduct business email compromise (BEC).
Worryingly, in the two organizations studied where technical staff were tested, they showed a greater propensity to click.
In one of the companies, 30% of DevOps and 21% of IT staff clicked on test phishing emails, compared to an average of just 11% for all departments. In the other organization, the rate for DevOps was 26%, slightly higher than the average of 25% overall.
That’s despite more technical staff than the average claiming to be alert to the problem of phishing. In one organization, 17% of respondents said they had noticed a phishing email in their inbox in the past, versus 27% of IT and 29% of DevOps respondents.
In the other, the average for spotting phishing was 44% but shot up to 60% for those working in DevOps.
Technical staff members are also poor at flagging phishing attacks. In one organization, IT and DevOps came third and sixth out of nine departments in terms of reporting. In the other, DevOps was the twelfth best at reporting out of 17 departments, while IT came down in fifteenth place.
Matthew Connor, F-Secure service delivery manager and lead author of the report, claimed that over-confidence might be partly to blame for the results.
“I don’t believe you reduce susceptibility by teaching people about phishing. I believe you reduce susceptibility by making sure staff know the basics and by motivating them to want to spend the time and effort identifying and reporting phishing attacks,” he told Infosecurity.
“It is possible that the technical staff know what phishing is but have too much confidence in the technical protective measures in place and in their own ability to spot attacks. This leads them to be relaxed and susceptible, rather than alert and secure.”
Connor argued that reporting is a crucial link in the corporate security chain to help detect and prevent attacks and build resilience.
“Either technical staff in these organizations genuinely did not spot the phishing attempts and are not as adept as they may think, or they are not following the best practices to support the business,” he concluded.
“Ultimately for me, this study shows that technical staff need just as much support as the rest of the organization in combatting phishing.”