A new KnowBe4 study of phishing statistics for top industries, shows small insurance companies have the highest percentage of phish-prone employees in the small to mid–size organization category. Not-for-profit organizations take the lead in large organizations.
Benchmark phish-prone percentage by industry
Radical drop of careless clicking
The study, drawn from a data set of more than six million users across nearly 11,000 organizations, benchmarks real-world phishing results. Results show a radical drop of careless clicking to just 13 percent 90 days after initial training and simulated phishing and a steeper drop to two percent after 12 months of combined phishing and computer based training (CBT).
Researchers anonymously tracked users by company size and industry at three points:
1. A baseline phishing security test
2. Results after 90 days of combined CBT and simulated phishing
3. The results after one year of combined CBT and phishing is encouraging:
“What this data from KnowBe4 emphasises is that one of the biggest issues affecting organisations is still that of the human element. Ultimately, you could have all the security systems in the world, and adopt a multi-layered approach, but if it isn’t driven from the top down, then it has little effect. The most successful companies that we work with are the ones that have taken cyber and information security into the boardroom and have it as a number one priority,” Andy Miles, CEO of ThinkMarble, told Help Net Security.
“Executives and Directors have a responsibility and a duty to protect their companies and people and, just like they take Health and Safety seriously for fear of financial and reputational repercussions, the same approach needs to be adopted for basic cyber hygiene principles. Week in, week out, we see businesses being compromised and held to ransom. What will it take for this issue to be taken seriously in the boardroom? We should take the lead from the New York State, Department of Financial Services, that has implemented new regulations in which it is no longer a matter of what ‘should’ be done but what ‘must’ be done to comply and protect the data and information held within the business. If the boardroom can’t understand and get the basics right, then there is a good chance they will suffer an attack,” Miles concluded.