When looking at the cyber attack risks businesses face today, phishing tops the chart. It’s a problem that also keeps getting worse – 84% of companies in a new study said they were the victims of a successful phishing attack in 2021, a 15% increase over the same 12-month period in 2020. Phishing attacks are also growing more sophisticated, thanks partly to much dark web data that helps the bad guys shape effective campaigns. In this flood of phishing, employees must be aware of phishing threats and be able to make the right choices when faced with a suspicious email. Unfortunately, that isn’t the case often, leading to a cybersecurity nightmare for their employers.

Employee actions around phishing cause an estimated 65% of insider threat incidents. Understanding the risk factors that can drive good and bad employee decision-making around phishing can help organizations gain a clear picture of their phishing risk:

1. The Permanent X-Factor: Human Error:

According to IBM’s X-Force Threat Intelligence Index, human error is the culprit in an estimated 90% of security breaches. Those errors can range from sending a coworker a file they’re not authorized to see to downloading a malicious attachment from a phishing email. One-fifth of employees admit to making mistakes like falling for phishing tricks that caused them to interact with negative messages at work – and these seven risk factors can impact employee behaviour around phishing.

2. The Lure of Social Engineering Traps:

Like any other business, cybercriminal gangs always seek ways to maximize efficiency, and phishing fits the bill. It’s the cheapest, easiest, and most effective way to penetrate a company’s security. Of course, it also evolves like any other business process, with changing techniques, increasing sophistication, and new traps making it hard for companies to keep up. It’s also hard for everyone else to keep up – 97% of employees cannot spot a sophisticated phishing email. Clicking on a phishing email is the most likely way an employee will cause a security breach. In a Stanford University study, researchers determined:

• One in four employees (25%) said they have clicked on a phishing email at work.
• Nearly 45% of respondents cited distraction as the top reason for falling for a phishing scam.
• Around 50% of employees are sure they have made an error that led to a security incident.

3. Careless Handling of Attachments:

The bane of IT teams, employees are regularly faced with convincing phishing schemes that utilize attachments. An estimated 48% of malicious email attachments are disguised as routine files, from a termination notice to a list of charitable resources. This was recently illustrated by a flood of phishing around generous relief for Ukrainians in the wake of the Russian invasion. Microsoft Office formats like Word, PowerPoint, and Excel are popular file extensions for cybercriminals to use when transmitting malware via email, accounting for 38% of phishing attacks. The most popular delivery method is archived files such as .zip and .jar, which account for about 37% of malicious transmissions.

4. Irregular or Non-Existent Security Awareness Training:

Over half of businesses do not engage in regular security awareness training, a colossal mistake that ultimately costs them. In a UK study on companies running phishing simulations, researchers discovered that 40 – 60% of untrained employees are likely to open malicious links or attachments. After six months of training, that number dropped from 20% to 25%. After 3 to 6 months of more activity, the percentage of employees who opened phishing messages plummeted to only 10% to 18%. Accenture places the ideal number of training courses for employees each year at 11, or just under one per month.

5. A Lack of Caution About Clicking Links:

Far too many employees are not Judicious about clicking links in email messages. CyberNews reports that 1 in 3 employees are likely to click the links in phishing emails, and 1 in 8 employees are likely to share information requested in a phishing email. Even more alarmingly, 67% of the employees tested in a phishing simulation who clicked through to the malicious dummy website submitted their login credentials, up from a scant 2% in 2019.

• In a phishing simulation, users in North America struggled the most, posting a 25.5% click rate and an 18% overall credential submission rate.
• This means over 7 out of every ten clickers willingly compromised their logins.
• European users exhibited lower click and submission rates of 17% and 11%, respectively.

6. A Weak Security Culture:

The kind of negligence that helps mistakes flourish can arise from a company’s lousy security culture. Security is everyone’s job, but not everyone understands that. 45% of a HIPAA Journal survey respondents said they don’t need to worry about cybersecurity safeguards because they don’t work in the IT department. That’s a disaster waiting to happen. Leadership attitudes toward security can compound that ignorance. In a CNBC survey, 56% of SMB owners said they are “not very concerned” about being the victim of a cyberattack in the next 12 months, and 24% said they were “not concerned at all.”

7. Fear of Repercussions:

No company benefits when employees are kept in the dark about security or made to think of it as a big, complicated, dangerous bugbear. Besides, every tech team would instead learn about a security incident when it’s just a little difficulty, not when it has snowballed into a giant disaster. But far too often, employees behave dangerously because they’re afraid of asking for help or clarification, and that’s no help to anyone.

• Just under 30% of employees fail to report cybersecurity mistakes out of fear.
• More than 40% of employees don’t report potential phishing out of fear of getting in trouble.
• About 45% of employees click suspicious emails “just in case it’s important.”

Source: ID Agent