peterschreiber.media - stock.ado
Large organisations in the hospitality industry have the highest phish-prone percentage (PPP) of 48% and are therefore most likely to fall victim to a phishing attack, a report shows
The transportation industry is at the lowest risk, with large organisations in the sector scoring a PPP of just 16%, according to the latest Phishing by industry benchmarking report by security awareness training firm KnowBe4.
However, the report shows that large organisations in the construction industry are the most phish-prone when examining both small and mid-sized organisations, with PPP scores of 38% and 37%, respectively.
The report is based on an analysis of nearly nine million users across 18,000 organisations with more than 20 million simulated phishing attacks across 19 industries.
The PPP indicates what proportion of an organisation’s employees is susceptible to social engineering or phishing scams. A high PPP indicates greater risk and a low PPP is optimal and indicates that particular workforce is security aware and able to recognise a phishing attack.
Among large organisations, energy and utility firms came in third place after hospitality and construction with a PPP of 34%
In the medium-sized business category, the construction industry was revealed at the highest risk with a PPP of 37%, followed by insurance (35%) and manufacturing (34%). Among small business, construction again came top with a PPP of 38%, followed by retail (37%) and insurance (36%).
According to the study, the average PPP across all industries and sizes of organisations was 29.6% – an increase of 2.6% on 2018.
Read more about phishing
After 90 days of computer-based training and simulated phishing security testing, the overall PPP was cut in half across all industries. The PPP then dropped to just 2% after 12 months of security awareness training.
The report pointed out that, according to Verizon’s 2019 Data breach investigation report, phishing was the top threat action used in successful breaches linked to social engineering and malware attacks.
These criminals evade an organisation’s security controls by using phishing and social engineering tactics that often rely on employee naivete, the report said, with emails, phone calls and other outreach methods used to persuade staff to take steps that give criminals access to company data and funds.
Every organisation is at serious risk without new-school security awareness training, said the report. “With an average baseline PPP of 29.6%, companies could be exposed to social engineering and phishing scams by more than a quarter of their workforce,” it said, adding that an effective security awareness training strategy can help to accelerate improvement, especially for large organisations.