Phishing emails masquerading as HR and IT-related communications are the most likely to be clicked on by employees as unveiled in a recent study, posing a significant cybersecurity risk to organizations across various industries.
The 2024 Phishing by Industry Benchmarking Report, conducted by KnowBe4, analyzed data from over 54 million simulated phishing tests.
While these tests are performed across more than 11.9 million users from 55,675 organizations in 19 different industries.
Through this report researchers at KnowBe4 highlighted the ongoing vulnerability of employees to social engineering attacks, particularly those that mimic internal communications.
Top three riskiest industries by organization size (Source – Knowbe4)
High Initial Vulnerability: The study found that without proper training, organizations across all industries and sizes faced an average Phish-prone Percentage (PPP) of 34.3%. This means that roughly one in three employees were likely to interact with malicious emails.
Industry-Specific Risks: Healthcare & Pharmaceuticals emerged as one of the most vulnerable sectors, with a PPP of 51.4% for large organizations. Other high-risk industries included Insurance (48.8%) and Energy & Utilities (47.8%).
Size Matters: Larger organizations (1000+ employees) generally showed higher vulnerability, with several industries exceeding a 40% PPP.
Technical Analysis
The report emphasizes the crucial role of comprehensive security awareness training:
- After just 90 days of training, the average PPP dropped to 18.9%, representing a nearly 50% reduction in vulnerability.
- Organizations that maintained ongoing training for a year or more saw their PPP plummet to an impressive 4.6%.
Methodology and data set (Source – Knowbe4)
Cybersecurity experts stress the importance of continuous education and testing. “Merely paying lip service to security awareness programs does little to shield an organization from attacks that target human vulnerabilities,” the report states.
2024 International Phishing Benchmarks (Source – Knowbe4)
To mitigate risks, organizations are advised to:-
- Implement regular, comprehensive security awareness training.
- Conduct frequent simulated phishing tests.
- Foster a security-conscious culture within the organization.
- Invest in both employee training and advanced technological defenses.
However, it’s important to note that the transforming employee behavior requires persistence, but the benefits of a security-aware workforce are invaluable in the face of increasingly sophisticated phishing attempts.
By prioritizing human risk management and encouraging a strong cybersecurity culture, organizations can significantly reduce their vulnerability to phishing attacks and other social engineering threats.