A recent phishing survey of 500 office workers in Ireland has revealed the risks business leaders are taking by failing to provide security awareness training for employees.
Phishing is one of the easiest methods of gaining access to sensitive information and gaining a foothold in a network. Phishing is the act of deceiving users into disclosing sensitive information, usually via email. An email is sent with a lure to get the user to open the message. Social engineering techniques are also used to convince that user to take an action – either visiting a website, opening an email attachment, or replying to the message and disclosing sensitive information.
The study, conducted by Censuswide, suggests as many as 185,000 office workers in Ireland have been a victim of a phishing scam. While the survey was only conducted in Ireland, the results are similar to other studies conducted around the world. Together, these studies have shown that while many employees are confident that they can identify scam emails, in practice, many do not.
14% of respondents to the survey admitted they had been fooled by a phishing scam, but there were considerable differences in susceptibility for different age groups. Gen Xers fared best, with just 6% of respondents in this age category saying they had been fooled by a phishing email. Baby boomers were also good at recognizing phishing scams, with just 7% having been fooled. The age group that fared worst was millennials on 17%. What is particularly interesting is millennials had the greatest level of confidence in their ability to identify phishing scams.
14% of millennials said they would not be certain about their ability to spot a phishing scam, compared with 17% of the 42-53 age group, and 26% of over 54’s.
The lack of security awareness training was made clear by the percentages of individuals who had responded to phishing emails: 44% of the over 54’s said they had opened an attachment or clicked on a link in a phishing email, as did 34% of millennials and 26% of Gen X users.
Despite media coverage about phishing attacks and the frequency at which phishing emails are received by businesses, one in five office workers said they had never been provided with security awareness training. If security awareness training for employees is not provided, businesses cannot expect their employees to be able to identify phishing emails.
When done correctly, security awareness training for employees is effective. Provide training and employees’ security awareness and their ability to identify phishing emails improves significantly. Figures from Cofense suggest that through regular, ongoing training, susceptibility to phishing attacks falls by more than 90%.
By making training mandatory, businesses can reduce risk and prevent many costly phishing attacks. Training does come at a cost, but through the prevention of phishing attacks, security awareness training for employees more than pays for itself.