When it comes to phishing, there’s been an encouraging 64% increase in organizations measuring end-user risk from 2015 to 2016. But the good news gets more scarce from there.
According to Wombat Security Technologies’ State of the Phish report, 76% of infosecurity professionals still report that their organizations have been victims of a phishing attack this year. Half (51%) said the rate of attacks is increasing. So while training and education is working, the threat of attacks continues to remain high.
About 38% of infosec professionals who reported a phishing attack cited a disruption of employee activity as the largest impact on their organization compared to data loss or compromised accounts.
Despite an increase on the general awareness of the concept of phishing, end-users continue to make their organization vulnerable through other risky behaviors such as checking personal email on work devices and keeping work data on their personal devices.
Also, the consumer survey showed a key cultural difference between US and UK employees in how much they blur the lines between work and home. In the US, 49% of those surveyed reported checking their work email on their personal phone, compared to 29% in the UK; and 50% of the respondents in the US admitted to checking personal email on their work computers, compared to 31% in the UK.
Consumers were surveyed to test knowledge awareness not only on phishing, but also of ransomware. When asked, "What is phishing?,” 65% of those surveyed in the US answered correctly. However, 52% were not even able to make a guess on "what is ransomware?"
End-users who don't recognize or understand the risks of ransomware are also unlikely to practice safe behaviors, such as properly backing up files which can reduce the effectiveness of a ransomware attack.
"Social attacks take advantage of employees trying to be helpful so it stands to reason that social awareness of attack methods plays a critical role in protecting against phishing," said Eric Ogren, senior security analyst at 451 Research. "Enterprises with corporate phishing education programs empower employees to help protect themselves and the business."
The third annual State of the Phish report analyzed data from tens of millions of simulated phishing emails over 12 months – a 155% increase in the number of emails looked at in the previous report – as well as more than 500 survey responses from infosec professionals, and more than 2,000 answers from employed computer users in the US and the UK on their phishing knowledge and behavior.
"Staying vigilant and implementing a continuous training methodology is key to securing organizations," said Joe Ferrara, president and CEO of Wombat. "We've seen an increase in organizations making an investment in an end user security training and awareness program with 66% of infosec professionals now measuring their organization's susceptibility to phishing and 92% training end users on how to identify and avoid phishing attacks."