If you think security awareness education is expensive, try ignorance
Facts surrounding spear phishing all point to employees as the most cited culprits and security awareness training as the most effective remedy. Yet all training programs are not equal.
Recent research sponsored by KnowBe4 shows email spear phishing is now the number one source of data breaches with human error at the bottom of it all. A new study released from Osterman Research says 67% of respondents say malware has successfully penetrated their corporate networks through email with web surfing a close second at 63%. Another 23% say malware has infiltrated their networks but they still don’t know how.
With 91% of successful data breaches coming from a phishing or spear-phishing email, KnowBe4 has increased its toolset to include more advanced anti-phishing tools with good results. In a 12 month period of time, KnowBe4 analyzed 3600 phishing tests sent out to 291,000 seats. The results showed the top 4 click-bait emails which all bring in double-digit clicks: LinkedIn Inmail at 19.9%, an email from “IT” to change your password at 18.8%, Amazon at 13.7%, and UPS at 11.4%. While a recent Proofpoint study says 1 in 10 users typically click on a malicious URL, the most recent Verizon report puts the open rate of phishing emails average at 23% and the click-through rate at 11%.
KnowBe4 CEO Stu Sjouwerman noted,“For compliance reasons, too many companies still rely on a once-a-year breakroom ‘death by PowerPoint’ training approach, or just rely on their filters, do no training and see no change in behavior. Our Kevin Mitnick Security Awareness Training is an integrated platform for awareness education combined with an extensive library of templates that allow IT managers to schedule regular phishing tests to keep users on their toes with security top of mind. After our training we see a radical decrease in clicks on phishing emails from an initial average of 16 percent to a phone-prone percentage of just 1.28% after 12 months.”
The most recent PWC 2015 Global Information Security Survey shows businesses that have security awareness report significantly lower average financial losses from cybersecurity incidents and those that do not train employees reported annual losses of four times greater than those who train.
According to Websense Security Labs, one third of end users continue to click away at malicious email links, demonstrating that they are increasingly “desensitized” from warnings, lack a feeling of responsibility, and lack enterprise-driven education.
“A good security awareness program will help the user recognize red flags and give him a sense of confidence in his ability to spot a social engineering attempt,” said Sjouwerman. “It is much less expensive to train your staff than suffer the consequences of a data breach to your bottom line and the company’s reputation. As Derek Bok, former Harvard University president, once said: If you think education is expensive, try ignorance.”