We already know ransomware is a problem. But, it’s a two-pronged discussion. Part of the problem is the prevalence and ease of access to very sophisticated ransomware technology. The other part of the problem is how well organizations can stop attacks. New data in Trend Micro’s How to Reduce the Risk of Phishing and Ransomware report exposes where organizations are struggling to stop attacks.
According to the report, the top 4 most effective ways organizations protect against phishing and ransomware threats, organizations are best at:
- Protecting endpoints from malware
- Protecting end users from ransomware
- Protecting backup integrity
- Training end users on detecting and addressing phishing/social engineering
Despite these efforts, the report goes on to highlight the percentage of orgs that have experienced 17 different types of security incidents. The top 3 are:
- A business email compromise attack was successful in tricking at least one lower-level employee within our company (53% of organizations)
- A phishing message has resulted in a malware infection (49%)
- A phishing message has resulted in an account compromise (47%)
I can’t help but wonder if the “training” being given to users is truly Security Awareness Training as we here at KnowBe4 define it. Our research has shown that 38% of employees within an organization generally will fail a phishing test (and, therefore, the real thing). Many organizations identify quarterly break room training or monthly email reminders as “awareness training". But we see it as a continual education of the user, keeping them constantly updated on the latest campaigns, methods, social engineering tactics, and their role in the organization’s security. This is accomplished through continual online Security Awareness Training matched with monthly phishing testing.
According to our research, this combination can reduce the 38% of employees failing a phishing test down to just 4.7% of employees – a reduction in the organization’s human threat surface of 87%!
I would encourage you to scrutinize how your organization defines Security Awareness Training and take a look at effective ways to train your users to play a part in your organization’s security stance.