The prevalence of cyber crime continues to soar, victimizing individuals in both their work and private lives. Cybercriminals are indiscriminate, targeting around the clock and across the globe.
With digital security advancing, these criminals shift their focus to exploiting human weakness amidst increasingly secure technological environments. The persistent temptation of exploiting human vulnerability attracts these criminals to potential weaknesses across various organizational hierarchies and diverse segments of society, taking advantage of any breach they find.
As artificial intelligence (AI) increasingly becomes a part of the technological landscape, vigilance in the realm of cybersecurity is more crucial than ever. AI systems possess the ability to rapidly analyze extensive data sets and identify patterns that would take humans much longer to recognize, if at all.
But this capability can be a double-edged sword. While it can improve cyber defenses, it also provides sophisticated tools that hackers can use to uncover and exploit vulnerabilities.The use of AI can expedite the attack process, scaling the number of targets and increasing the probability of successful breaches.
As AI-powered cyberattacks grow in sophistication, it becomes imperative that security awareness programs also evolve with a maniacal focus on human risk management.
2024 Phishing by Industry Benchmarking Report
Download the infographic here
Into this evolving threat landscape KnowBe4 has released the seventh annual Phishing by Industry Benchmark Report. The report analyzes Phish-prone™ Percentage (PPP) across millions of individual users pulled from anonymized KnowBe4 customer data. The report underscores the vital importance of organizations investing in their workforce to reinforce overall defensive capabilities, support a robust security culture and move the needle favorably on human risk management.
This year’s inclusion dataset spanned 19 industries and comprised over 11.9 million users across 57,000 organizations with over 54.1 million simulated phishing security tests. It also provides a thorough analysis across seven geographical regions: Africa, Asia, Australia/New Zealand, Europe, North America, South America and the United Kingdom/Ireland.
Here’s what we found:
- For 2024, the overall PPP baseline average across all industries and size organizations was 34.3%, meaning just more than a third of an organization’s employee base could be at risk of clicking on a phishing email prior to receiving training.
- However, only 18.9% of those same users will fail within 90 days of completing their first KnowBe4 training.
- After at least a year on the KnowBe4 platform, only 4.6% of those users will fail a phishing test.
- Organizations improved their susceptibility to phishing attacks by an average of 86% (+4 points over prior) in one year by following our recommended approach.
The purpose of the Phishing by Industry Benchmarking Report is to analyze and understand the impact of a new-school security awareness approach on an organization’s susceptibility to phishing or social engineering attacks. To do this, we analyze data from three phases:
- Phase One: If you haven’t trained your users and you send a phishing attack, what is the initial resulting PPP? To do this, we monitored employee susceptibility to an initial baseline simulated phishing security test. From that established set of users, we look at any time a user has failed a simulated phishing security test prior to having completed any training.
- Phase Two: What is the resulting PPP after users complete training and receive simulated phishing security tests within 90 days after training? We answered this question by finding when users completed their first training event and looking for all simulated phishing security events up to 90 days after that training was completed.
- Phase Three: What is the final resulting PPP after users take ongoing training and monthly simulated phishing tests? To answer this, we measured security awareness skills after 12 months or more of ongoing training and simulated phishing security tests, looked for users who completed training at least one year ago, and took the performance results on their very last phishing test.
Focusing on the Human Element
Organizations persist in assessing and reinforcing their technological defenses, yet it is the human element that remains the most appealing and susceptible of exploitation for cyber attackers. By adopting a new-school security awareness approach, which emphasizes comprehensive and continuous education, testing and communication, organizations can empower their employees to become the first line of defense.
Here’s how these strategies contribute to a strong security culture:
Variety of Content: Offering a mix of educational materials helps cater to different learning styles and keeps the learner engaged. This can include videos, interactive modules and games that cover a wide range of topics from password security to recognizing phishing attacks. Also, people consume information in various ways, so using multiple delivery channels ensures wider reach. This could involve online training platforms, email campaigns, in-person workshops, webinars and even social media. By disseminating information through different avenues, you increase the likelihood of engagement and comprehension.
Continuous Testing: Year-round testing helps maintain a high level of alertness and builds instincts. Regular phishing simulations train employees to identify, and report attempts, turning these exercises into muscle memory. Security cannot be a once-a-year event or focus. Cyber threats are relentless and ever evolving, so a singular focus on Security Awareness Month doesn’t prove adequate defense.
All-Channel Communication: Engaging with employees across all channels where they convene, whether it’s internal messaging systems, company forums, intranet sites, or physical boards, ensures that security remains a top-of-mind issue. By maintaining an ongoing dialogue about cybersecurity, staff members become more proactive about both personal and organizational cyber hygiene.
By employing a strategy that involves various types of content, leverages multiple delivery mediums, includes continuous testing and training, and communicates through different channels, organizations can foster a culture of security awareness that dramatically reduces the risk of cyber incidents. Such an approach makes every employee an empowered participant in the company’s cybersecurity efforts.
Why This Is Important
During my tenure at the helm of security awareness and training at Gartner, engaging with thousands of clients, one consistent revelation stood out: the minimal efforts most organizations put forth to increase the preparedness of their human defense layer.
Most organizations regard training as a compulsory task to satisfy a requirement (merely “checking the box”), instead of recognizing it as a strategic initiative that can foster a security-conscious culture. In such a culture, every employee knows the significance and accept the responsibility of maintaining security awareness in both their professional and personal lives.
Addressing the human aspect of security isn’t an action that can be taken lightly; it requires a sustained and holistic approach. There is no finish line. Only through a relentless and continuous program can behaviors be reshaped, replacing entrenched unsafe habits with new, secure practices.
Advice to Keep in Mind
- It’s essential to foster a resilient security culture. Security culture, as defined by KnowBe4, is the ideas, customs and social behaviors of an organization that influence their security. All employees should understand what their role and responsibility is to protect the organization and themselves from being vulnerable to a cyberattack.
- Increase the frequency of your security awareness training while decreasing the time invested. A regular, consistent cadence is required to drive substantial and sustainable behavior change.
- Frequent simulated phishing campaigns are a key component of your overall security awareness program. Regularly testing employees will increase your employee’s resilience to being compromised and keep their phish-spotting skills sharp.
- Work with experts. Security awareness content is like no other and should be designed by experts who understand the behavior changes required to create an effective human defense layer, while also providing an engaging learning experience. Don’t get caught in a cycle of boring, ineffective, unappealing content.
KnowBe4’s leadership in the market isn’t coincidental. Our position stems from having the empirical data and extensive research that highlights the critical role of the human layer in cybersecurity. We offer the only proven program designed to help organizations cultivate a culture that is both more aware of security risks and better equipped to handle them.