New research has revealed the scale of phishing attacks and the number of employees being misled by phishing emails. Despite the threat of data breaches and regulatory penalties, a significant number of companies still do not provide sufficient security awareness training to their workers.
The consultancy company Censuswide surveyed 500 office workers in Ireland. 14% of surveyed office workers claimed they were victims of phishing. If the findings are nationally representative, it would mean up to 185,000 office workers in Ireland had been tricked by phishing scams.
There were considerable differences between age groups: Baby boomers, generation X, and millennials. The age group almost likely to be tricked by phishing scams was millennials. 17% of millennials had been fooled by phishing scams, followed by 7% of baby boomers, and 6% of Generation Xers.
The researchers asked how confident respondents were in their ability to spot phishing scams. Three times as many millennials had fallen victim to phishing scams as Generation Xers, but millennials were much more confident that they could spot a phishing scam. That confidence appears to be somewhat misplaced. About 14% of millennials claimed they’re not sure that they can identify fraud, compared to 17% of Gen Xers and 26% of baby boomers.
One in five employees had not been provided with any security awareness training, but even when training was provided, risky practices continued, such as clicking hyperlinks or opening attachments in emails from unknown senders. 44% of baby boomers said they had clicked links or opened attachments from unknown senders in the past, as had 34% of millennials and 26% of gen Xers.
The implications of a successful phishing attack can be severe for businesses. Phishing attacks can result in financial losses. According to the Ponemon Institute, the average cost of a data breach is now $3.86 million. Phishing attacks can also result in permanent reputation damage, lost business, legal action, and regulatory fines.
Even though security solutions may be implemented to block phishing emails, it isn’t possible to stop all phishing emails from landing in email inboxes. Security awareness training for all people in the organization, from the Chief Executive Officer down, is thus very important. Security awareness training should be viewed in the same way as health and safety training. It requires buy in from all departments and is not just an IT issue.
Simply offering a yearly training session for workers is not enough. Phishing attacks are becoming more sophisticated and cybercriminals are continuously coming up with new ways of bypassing defenses and fooling end users. Businesses consequently have to continuously train their employees to keep them up to date on new threats and to reinforce past training.