Security Awareness Training Dramatically Reduces Phishing Proneness

Every industry is susceptible to phishing but security awareness training can drop their phish-prone percentage dramatically according to Tampa Bay, Fla.-based KnowBe4, in its “2019 Phishing by Industry Benchmarking Study.”

It its study KnowBe4, which provides security awareness training and a simulated phishing platform to improve how organizations use their people as part of its security defense, measured an organization’s average phish-prone percentage, indicating how many employees are likely to fall for a phishing or social engineering scam.

The overall PPP, per KnowBe4, offered even more value when placed in context – for example there was a 30% baseline phish-prone percentage across all 19 industries examined. This year, the banking vertical saw baseline PPP numbers between 25.7% (1,000-plus users) and 29.3% (1-249 users). After 90 days of security awareness training, the PPP dropped to 16.4% (1,000-plus users) and 9.7% (1-249 users), and after a year of continuous training and testing, those numbers dropped even farther to 3.2% (1,000-plus users) and 1.3% (1-249 users). The financial services industry as a whole showed similar numbers.

“Often times, organizations overlook security awareness training and simulated social engineering testing because they’re focused on implementing security technology instead of building up their human layer of defense,” Stu Sjouwerman, CEO, KnowBe4 said. “This report shows that employees are not getting the right amount of cybersecurity training to help properly protect their organizations, and we need to change that.”

The report noted every company wants an answer to the essential question: “How do I compare with others who look like me?” To provide a nuanced and accurate answer, the 2019 study analyzed a data set that included nearly nine million users across 18,000 organizations with over 20 million simulated phishing security tests across nineteen different industries.

The final report broke out each industry in three ways – an initial benchmark phishing test, results after 90 days of training and, again, after 12 months of training. All customers used the KnowBe4 platform according to the recommended best practices for a new-school security awareness approach:  running an initial baseline test; training their users through realistic on-demand interactive training; and frequent simulated testing at least once a month to reinforce the training.

Phase 1: The study focused on the initial baseline phishing test, administered to organizations with no previous security awareness training, to users without warning by IT staff and out of the gate on untrained, unaware people going about their regular job duties. Across all industries and all sizes, the average phish-prone percentage was 29.6%, up 2.6% from 2018. That means nearly 1 out of 3 employees (opposed to 1 out of 4 in 2018) was likely to click on a suspicious link or email or obey a fraudulent request.

Phase 2: After 90 days of computer-based training and simulated phishing security testing results changed dramatically. The Phish-prone percentage fell by half, consistent with the 2018 study. One observation: The drop in PPP was not specific to a certain industry or organization size.

Phase 3: After 12 months of combined computer-based training and simulated phishing security testing, they measured only organizations conducting 12 months of testing while adhering to best practice recommendations to run phishing tests at least once a month. The results showed having a consistent, mature awareness training program took the average PPP from 29.6% all the way down to 2% – regardless of industry and size of organization. “Originally we saw that large enterprise organizations scored better PPPs in their initial baseline test. In the final phase of the study, it became clear that these same organizations needed more time to turn the ship around and move in the right direction,” the report claimed.

KnowBe4 said the results from all three phases of the study revealed several conclusions:

• Every organization is at serious risk without new-school security awareness training. companies could face exposure to social engineering and phishing scams by more than a quarter of their workforce.
• Any organization can strengthen security through staff training in as little as three months.
• An effective security awareness training strategy can help accelerate results, especially for large organizations.