A large amount of employees are still being fooled by phishing emails, a new study has revealed. Additionally, despite the risk of a data breaches and regulatory fines, many companies are not providing security awareness training to their employees to combat this phenomenon.
In order to conduct this study, the consultancy firm Censuswide conducted a survey on 500 office workers. While all the respondents were based in Ireland, the results of the survey were almost identical to that of similar studies conducted in other countries, eg United States.
14% of the office workers surveyed admitted to have fallen for a phishing email at some stage. That percentage equates to about 185,000 office workers in Ireland.
The different age groups surveyed showed notable levels of susceptibility. The age group most likely to be fooled by phishing scams was millennials (17%), followed by baby boomers (7%), and Generation X (6%).
When asked about how confident they were in their ability to identify phishing scams, millennials were the group that had the greatest confidence. However, this sense of confidence would appear to be misplaced as almost three times as many millennials had fallen for phishing scams as Generation Xers.
26% of baby boomers said they would not be certain that they could identify a scam, compared to 17% of Gen Xers, and just
14% of millennials.
According to the survey, one out of five workers had not been given any security awareness training whatsoever. Even when training was provided, many office workers still engaged in unsafe practices such as clicking hyperlinks or opening email attachments in messages from unknown senders. 26% of gen Xers admitted to having completed one of those actions in the past, in comparison to 34% of millennials and 44% of baby boomers.
A successful phishing attack can hold severe consequences for organisations effected. Phishing attacks can cause substantial financial losses, particularly when financial information is stolen. These attacks can cause lasting damage to the reputation of a company. Companies can face lawsuits from individuals whose personal information has been exposed or stolen and regulators can issue substantial civil monetary penalties as a result from an attack.
There are various security solutions that can be implemented to block the majority of phishing emails. Even with these solutions in place, it is not possible to prevent all phishing emails from being delivered to inboxes. Therefore, security awareness training for everyone in the company, from the CEO down, is essential to minimise the threat of phishing.
Nowadays simply providing an annual training session for employees is no longer sufficient. Phishing attacks are becoming more sophisticated with improved technology and cybercriminals’ tactics are constantly changing because of this. Therefore, it is vital for businesses to continually educate their employees to ensure training is not forgotten and to keep employees aware of new threats.
Regular refresher training sessions should be completed by employees throughout the year to help develop a security culture. Phishing email simulations may also be useful for gauging the effectiveness of training sessions and identifying weak links.