In a volatile risk atmosphere, nothing has been more of a threat than phishing. This one hub is the starting point for most of today’s most devastating cyberattacks from ransomware to credential compromise. Google has registered 2,145,013 phishing sites as of Jan 17, 2021. This is up from 1,690,000 on Jan 19, 2020 (up 27% over 12 months). That’s not slowing down either. After a banner year for phishing risk in 2020, it was hard to believe that there was any more real estate for phishing to climb. Unfortunately, that wasn’t the case – and companies who slacked on security awareness training during the pandemic are paying the price. 

This is important for businesses to remember: the top cause of data breaches is still human beings. Specifically, errors made by employees. It is far too easy for cybercriminals to concoct compelling phishing messages that can fool employees into handing over credentials or opening a ransomware-laden document – 48% of malicious email attachments are Office files. Employees also fear missing out on an important message far more than they fear unleashing malware or falling for a phishing attack. An estimated 45% of employees click emails they consider to be suspicious anyway “just in case it’s important.” 

In a survey of responses to phishing simulations, every industry had problems with employees clicking on a phishing email. CyberNews reports that 1 in 3 employees are likely to click the links in phishing emails, and 1 in 8 employees are likely to share information requested in a phishing email. This is especially problematic in some industries. The top 5 industries most at risk for a phishing related cybersecurity incident are:

• Consulting
• Apparel and accessories
• Education
• Technology
• Conglomerates

Phishing resistance and security awareness training is a proven method to mitigate phishing risk. Companies that engage in regular security awareness training that features phishing resistance have up to 70% fewer cybersecurity incidents. But many companies have deprioritized training in the chaotic scramble of the business world in the last year, even as phishing risk climbed and employees who were not trained to work remotely took the plunge.  Plus, even if training is happening it’s done in such a desultory way that employees don’t receive enough training on the correct threats. All in all, far too many companies are courting disaster by neglecting training.

But just running a few training courses for your staffers isn’t enough to foster strong cybersecurity awareness. Making sure that every staffer from the C-Suite to the interns is taking and refreshing training courses regularly is vital to gaining and keeping awareness high and cybersecurity incidents caused by phishing low. In a report from consulting giant Accenture detailing the characteristics of a cyber resilient organization, researchers placed the ideal number of training courses for employees each year at 11, or just a little under one per month. This prevents courses from becoming rote but still keeps the topic fresh in employees’ minds. 

Fuente: ID Agent