Phishing By Industry Benchmarking
Every security leader faces the same conundrum: even as they increase their investment in sophisticated security orchestration, cybercrime continues to rise. Often security seems to be a race between eﬀective technology and clever attack methodologies. Yet there’s an overlooked layer that can radically reduce an organization’s vulnerability: security awareness training and frequent simulated social engineering testing.
According to Verizon’s 2018 Data Breach Investigations Report, 93% of data breaches are linked to phishing and other social engineering incidents. These criminals successfully evade an organization’s security controls by using clever phishing and social engineering tactics that often rely on employee naiveté. Emails, phone calls, and other outreach methods are designed to persuade staﬀ to take steps that provide criminals with access to company data and funds.
Each organization’s employee susceptibility to these phishing attacks is known as their Phish-prone™ percentage (PPP). By translating their risk into measurable terms, leaders can quantify their breach likelihood and adopt training that reduces their human attack surface.
Understanding Risk By Industry
An organization’s PPP indicates how many of their employees are likely to fall for a social engineering or phishing scam. These are the employees who might be fooled into opening a ﬁle infected with malware or transferring company funds to a fraudulent oﬀshore bank account. A high PPP indicates greater risk, as it points to a higher number of staﬀ who typically fall for these scams. A low PPP is optimal, as it indicates the staﬀ is security-savvy and understands how to recognize and shut down such attempts.
The overall Phish-prone percentage oﬀers even more value when placed in context. After seeing their number, many leaders ask questions such as “How does my organization compare to others?” and “What can we do to reduce our Phish-prone percentage?”
KnowBe4, the world’s largest Security Awareness Training and Simulated Phishing platform, has helped organizations reduce their vulnerability by training their staﬀ to recognize and respond appropriately to common scams. To help companies evaluate their PPP and understand the implications of their ranking, KnowBe4 conducted a study to provide deﬁnitive phish-prone benchmarking across industries. Categorized by industry vertical, organization size, and the amount or frequency of security awareness training, the study reveals patterns that can light the way to a stronger and safer future.
The overall PPP average across all industries and size organizations was 27 percent.
Who’s at Risk: Ranking Industry Vulnerability
The results across the six million users highlights a drastic predicament for organizations that don’t feel the need or choose not to invest in new-school security awareness training which includes phishing security tests. The Phish-prone percentage data shows that no single industry across all-sized organizations is doing a good job at recognizing the cybercriminals phishing and social engineering tactics. When users have not been tested or trained, the initial baseline phishing security tests show how likely users in these industries are to fall victim to a phishing scam and put their companies at risk for potential compromise.
The overall PPP average across all industries and size organizations was 27 percent. Trends varied across diﬀerent industries, revealing the bleak truth that untrained users are failing as an organization’s last line of defense against phishing attacks. Speciﬁc trends show industry Phish-prone percentages above 30 percent at initial baseline testing include:
- In both the small and midsize organization categories, small insurance companies had the highest percentage of “Phish-prone” employees, ranking at 35 percent and 33 percent respectively.
- For the large organizations of 1,000 or more employees, not-for-proﬁt companies took the lead with 31 percent.
The winner of the lowest Phish-prone benchmark was large business services organizations at 19 percent which is still a signiﬁcant number when considering how many users in a larger organization could put your organization in jeopardy if they click on a phishing link.