“Cybersecurity training company KnowBe4 reports that the number of employees likely to fall for phishing emails drops dramatically with proper instruction on how to recognize an attack.
The report analyzed businesses in a variety of industries to build what KnowBe4 calls an organization’s “phish-prone percentage (PPP)," which indicates how many employees are vulnerable to such attacks. The average baseline, 31.4%, varied greatly by organization size and industry, with a full half of employees in large (1,000+) energy and utilities companies likely to fall for a phishing or social engineering attack “
Figure A: The most at-risk industries by organization size, as identified by KnowBe4.
“This is deeply concerning. Organizations should monitor their risks due to the majority of data breaches originating from social engineering. This data shows us that implementing security awareness training with simulated phishing testing will help to better protect organizations against cyber attacks," said KnowBe4 CEO Stu Sjouwerman.
KnowBe4’s data suggests that training is the answer to the dangerously high percentages. Within 90 days of training, KnowBe4 ran another phishing and social engineering test on the 23,400 organizations included in the report, and it found the average PPP score dropped to 16.4%. After ne year of ongoing training that number drops to just 4.8% (Figure B). That equates to an average improvement of 84%, the report said.