74% of Organizations Punish Employees for Phishing Failures

Many cybersecurity threats keep cybersecurity professionals awake at night but phishing attacks top of the list. According to a recent survey of cybersecurity professionals by the email security software company Egress, 95% of security professionals are stressed about email security, and for good reason. The study revealed 94% of organizations have suffered phishing attacks in the past 12 months, up 2% from last year, and 91% said they suffered data loss and exfiltration. 96% of targeted organizations said they were negatively affected by these attacks compared to 86% in 2023.

Phishing has posed a serious threat to businesses for many years; however, the sophistication of attacks has increased and phishing attempts are becoming even harder for employees to identify and avoid. One of the biggest concerns is phishing emails sent from compromised supply chain accounts, closely followed by internal account takeovers from credential harvesting. There are also fears that AI tools such as large language models (LLMs) are being leveraged by cybercriminals. 63% of cybersecurity professionals said they are being kept awake at night by concern about deep fakes and 61% by AI chatbots.

91% of respondents to the survey said they used secure email gateways (SEG) and were frustrated with them and 88% expressed concerns about Microsoft’s native controls for Microsoft 365. The latter is understandable as 94% of respondents said they had experienced a security incident with their Microsoft 365 environment. 83% said they find static DLP rules unworkable for employees and administrators.

The majority of organizations now provide security awareness training for their workforce but there is widespread concern about how effective their security awareness training programs are. 91% of cybersecurity professionals said they are concerned that their training is not effective and those concerns appear to be well founded. 74% of respondents said they used out-of-the-box training modules and only 19% of surveyed organizations said they provide security awareness training that is tailored to each department or team and only 9% said they tailor training to the individual.

Training is being provided frequently with 59% of organizations claiming to provide security awareness training weekly or monthly, and 30% conducting training quarterly; however, the responses to the survey indicate training is mostly seen as a checkbox item for compliance purposes with 88% of organizations saying compliance is the main driver behind security awareness training. The biggest concern was that employees saw training as an annoyance and skipped through it as quickly as possible. This does tend to happen more when training is not tailored to each department or role.

Organizations need to take responsibility if their security awareness training is not effective, yet employees are blamed if they fall for a phishing attack. 51% of respondents said they disciplined employees who fell for a phishing attack, 39% of employees were fired for falling for a phishing email, and 27% voluntarily left their jobs.

“Cybersecurity leaders appear to be taking a tough stance on those employees who are caught out by phishing attacks, with negative outcomes for the people involved happening in 74% of organizations. I would caution them, however, to work with employees,” said Jack Chapman, VP of Threat Intelligence, Egress. “In my experience, people who fall victim have genuinely made a mistake. In today’s world, organizations owe it to their people to provide the right technology to detect advanced attacks and SAT programs that genuinely increases their understanding of real threats, reducing phishing risk for the long term.”

The Egress survey was conducted on 500 cybersecurity leaders in the US, UK, and Australia in the financial services, legal, healthcare, and government/charitable sectors.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news