One in three untrained employees likely to click on a phishing link

Stu Sjouwerman, Chief Executive Officer at KnowBe4

KnowBe4, the security awareness training and simulated phishing company, has released the 2022 Phishing by Industry Benchmarking Report to measure a firm’s Phish-proneTM Percentage (PPP), which indicates how many of their employees are likely to fall for phishing.

With ransomware payments averaging $580,000 in 2021 and business email compromise (BEC) losses topping $1.8 billion in 2020, a cyber attack can wreak havoc on a company.

What were the findings of KnowBe4’s study?

Yet, according to the baseline testing conducted for the report, without security training, across all industries globally, 32.4% of employees are likely to click on a suspicious link or comply with a fraudulent request. In some large category industries, such as Consulting, Energy & Utilities, and Healthcare & Pharmaceuticals, the percentage is over 50%.

APAC region more vulnerable

The APAC showed a slightly higher risk than the global average, with 34.5% of untrained employees likely to click on a suspicious link or comply with a fraudulent request across all industries and organisation sizes. Large firms (over 1000 employees) with no prior KnowBe4 security training showed a PPP of 36.7%, four percent higher than the global average.

According to the Global State of Industrial Cybersecurity 2021: Resilience Amid Disruption Report released by Claroty, 80% of organisations in the APAC region were affected by ransomware attacks in 2021, with 51% paying the ransom. Meanwhile, 790 Singaporean victims fell prey to the recent OCBC Bank smishing scam, with a total loss amount of SGD$13.7 million, illustrating that the potential cost to Asia Pacific business is huge.

KnowBe4 research analysed a data set of more than 9.5 million users across 30,173 organisations, with over 23.4 million simulated phishing security tests across 19 different industries. The resulting baseline “Phish-proneTM Percentage (PPP)” measures the percentage of employees in organisations that had not conducted any KnowBe4 security training, who clicked a simulated phishing email link or opened an infected attachment during testing.

Simulated phishing training effective

When organisations implemented a combination of training and simulated phishing security testing after their initial baseline measurement, results changed dramatically. In 90 days after completing monthly or more frequent security training, the average PPP decreased to 17.6%.

After twelve months of security training and simulated phishing security tests, the average PPP dropped to 5%, indicating that new habits become normal, fostering a stronger security culture. In the APAC, PPP scores of SMEs dropped to 21.1% and 19.2% respectively. After one year of training small firms showed the greatest gain, with their PPP dropping to 4.4%.

Humans remain the biggest risk to cybersecurity

The 2022 Phishing by Industry Benchmarking Report underscores that fact that while tech plays a vital role in preventing and recovering from an attack, firms cannot ignore the human factor. According to the IBM Security X-Force Threat Intelligence Index 2022, which includes data for 2021, Japan, Australia and India were the three most-attacked countries in Asia.

Verizon’s 2022 Data Breach Investigations Report, which states that 82% of breaches this year involved the human element, also describes the most common type of breaches that took place in the APAC were caused by financially motivated attackers phishing for employee credentials and using the stolen credentials to gain access to email accounts and web app servers. Verizon reported that 70% of attacks in APAC contained a social engineering action.

What were the executive’s thoughts on the study?

“In critical industries like Health Services and Finance, where lives can be hugely impacted, we found high levels of cybersecurity risk as a result of simulated phishing test failures. With the steep cost of cyberattacks, this is deeply concerning,” said Stu Sjouwerman, CEO, KnowBe4.

“Given that most data breaches originate from social engineering, we cannot afford to omit the human element. Implementing security awareness training with simulated phishing testing will help protect firms against attacks and result in a more secure organisational culture.”

Download a copy of the KnowBe4 Phishing by Industry Benchmarking Report here.