VERIZON’S 2019 DATA BREACH INVESTIGATION REPORT SHOWS THAT PHISHING REMAINS THE #1 THREAT ACTION USED IN SUCCESSFUL BREACHES LINKED TO SOCIAL ENGINEERING AND MALWARE ATTACKS.
As cybercrime continues to surge, security leaders must understand that there is no such thing as a perfect, fool-proof, impenetrable secure environment. Many organizations fall into the trap of trying to use technology as the only means of defending their networks and forgetting that the power of human awareness and intervention is paramount in arriving to a highly secured state. Every security leader faces the same conundrum: even as they increase their investment in sophisticated security orchestration, cybercrime continues to rise. Security is often presented as a race between effective technologies and clever attack methodologies. Yet there’s an overlooked layer that can radically reduce an organization’s vulnerability: security awareness training and frequent simulated social engineering testing.
Verizon’s 2019 Data Breach Investigation Report shows that phishing remains the #1 threat action used in successful breaches linked tosocial engineering and malware attacks. These criminals successfully evade an organization’s security controls by using clever phishing and social engineering tactics that often rely on employee naivete. Emails, phone calls and other outreach methods are designed to persuade staff to take steps that provide criminals with access to company data and funds.
Each organization’s employee susceptibility to these phishing attacks is known as their Phish-Prone™ percentage (PPP). By translating phishing risk into measurable terms, leaders can quantify their breach likelihood and adopt training that reduces their human attack surface.
Understanding Risk by Industry
An organization’s PPP indicates how many of their employees are likely to fall for social engineering or phishing scams. These are the employees who might be fooled into opening a file infected with malware or transferring company funds to a fraudulent offshore bank account. A high PPP indicates greater risk, as it points to a higher number of employees who typically fall for these scams. A low PPP is optimal, as it indicates the staff is security-savvy and understands how to recognize and shut down such attempts. In short, a low PPP means that an organization’s human security layer is providing security strength rather than weakness.
The overall Phish-Prone percentage offers even more value when placed in context. After seeing their PPP, many leaders ask questions such as “How does my organization compare to others?” and “What can we do to reduce our Phish-Prone percentage?”
KnowBe4, the world’s largest Security Awareness Training and Simulated Phishing platform, has helped tens of thousands of organizations reduce their vulnerability by training their staff to recognize and respond appropriately to common scams. To help companies evaluate their PPP and understand the implications of their ranking, KnowBe4 conducts an annual study to provide definitive Phish-Prone benchmarking across industries. Categorized by industry vertical, organization size, and the amount or frequency of security awareness training, the study reveals patterns that can light the way to a stronger and safer future.
2020 PHISHING BY INDUSTRY BENCHMARKING STUDY
Every company struggles to answer an essential question—“How do I compare with other organizations who look like me?” To provide a nuanced and accurate answer, the 2020 Phishing By Industry Benchmarking Study analyzed a data set of over 4 million users across 17,000 organizations with over 9.5 million simulated phishing security tests across 19 different industries.
All organizations were categorized by industry type and size. To calculate each organization’s Phish-Prone percentage, we measured the number of employees that clicked a simulated phishing email link or opened an infected attachment during a testing campaign using the KnowBe4 platform.