A new study by the consultancy firm Censuswide has revealed the extent to which employees are being tricked by phishing emails and how despite the danger of a data breaches and regulatory fines, many firms are not providing security awareness training to their staff.
For the study, 500 office staff were questioned by the consultancy firm Censuswide. While all the respondents were located in Ireland, the results of the survey reflect the findings of similar studies carried out in other countries, including the United States.
14% of all questioned office staff said that they had been tricked by a phishing email, which would equate to around 185,000 office workers in Ireland.
There were significant differences in susceptibility to phishing emails across the different age groups: Millennials, generation X, and baby boomers. The age group most likely to be tricked by phishing scams was millennials (17%), followed by baby boomers (7%), and Generation X (6%).
Respondents were asked about how happy they were with their ability to recognize phishing scams. Even though almost three times as many millennials had been tricked by phishing scams as Generation Xers, millennials had the greatest confidence in their ability to spot phishing scams.
14% of millennials answered that they would not be certain that they could recognize fraud, compared to 17% of Gen Xers, and 26% of baby boomers.
The survey showed that one in five workers had not been provided with any security awareness training of any description, but even when training was provided, many office workers still participated in unsafe practices such as clicking hyperlinks or opening email attachments in messages from unfamiliar senders. 44% of baby boomers admitted having completed one of those actions in the past, as opposed to 34% of millennials, and 26% of gen Xers.
The consequences of a successful phishing attack can hit a company hard. Phishing attacks can lead to major financial losses, especially when financial details are stolen. Phishing attacks can inflict long-lasting damage to the reputation of a company, business may be lost, and companies can be subjected to lawsuits from individuals whose personal information has been illegally obtained, and regulators can issue substantial civil monetary fines.
While security solutions can be put in place to block the majority of phishing emails, it is not possible to stop all phishing emails from being delivered to inboxes. Security awareness training for all employees in a company, from the CEO down, is therefore vital.
Security awareness training should be dealt with in the same way as health and safety training. It is an organizational and HR issue, not just the charge of the IT department.
Simply providing a yearly training session for staff member is no longer enough. Phishing attacks are becoming more complex and cybercriminals are regularly changing tactics. Businesses therefore need to constantly educate their staff members to ensure training is not forgotten and to keep employees up to date with new threats.
Yearly or biannual training sessions should be held alongside by regular refresher training sessions to help develop a security culture. Phishing email simulations are also effective in reinforcing training, gauging the effectiveness of training sessions, and spotting weak points.