Study Confirms Security Awareness Training Significantly Reduces Susceptibility to Phishing Attacks

A recent Phishing by Industry Benchmarking Report has confirmed that providing security awareness training to the workforce significantly reduces susceptibility to phishing attacks. The benchmarking study was conducted by KnowBe4 to determine how effective security awareness training is at reducing susceptibility to phishing attacks. For the report, KnowBe4 analyzed data from more than 9.5 million users across 19 industry sectors, over 30,000 organizations, and 23.4 million simulated phishing emails. The study was conducted on small 22,558 organizations with 1-249 employees, 5,876 mid-sized organizations with between 250 and 999 employees, and 1,709 large organizations with 1,000 or more employees.

According to the 2022 Verizon Data Breach Investigations Report (DBIR), 82% of data breaches in 2021 involved a human element, confirming that people play a major role in security incidents and data breaches. Cybercriminals continue to target the human element as it provides an easy way of gaining access to business networks, and one of the main whys that employees are targeted is through phishing, which has continued to increase year over year.

Technology exists to block phishing attacks, and while products such as spam filters, antivirus software, and web filters are effective and will block a substantial number of threats, some threats will bypass those defenses and will reach employees. Many organizations fail to invest adequately in security awareness training and intervention, even though it is just as important as technology.

For the study, KnowBe4 established a baseline against which the effect of security awareness training could be measured, which the company calls the phish-prone percentage (PPP). The baseline PPP is the percentage of employees who clicked on simulated phishing emails prior to any security awareness training being provided. Training was then provided to employees and the PPP was recalculated after 90 days and after one year of continuous training.

Please see the HIPAA Journal Privacy Policy

Across all industry sectors and organization sizes, the average baseline PPP was 32.4%, which was one point higher than in 2021. The baseline in small healthcare and pharmaceutical organizations (32.5%) was second worst out of all industry sectors behind education (32.7%). The PPP was second worst in mid-sized organizations (36.6%) behind the hospitality sector (39.4%), and fourth worst in large organizations with a PPP of 45%.

When the phishing test was repeated 90 days after the provision of training, the PPP had dropped to 19.7% at small healthcare and pharmaceutical organizations, 19.1% at mid-sized organizations, and 17.2% at large organizations – Percentage drops of 12.8, 17.5, and 27.8 respectively. Across all industry sectors, the PPP fell from 32.4% to 17.6%. These figures clearly demonstrate the benefits of providing security awareness training to employees and that training provides a fast return on investment.

The third phase of the study involved a repeat of the phishing test after a year of ongoing training and saw the average PPP across all industry sectors and organization sizes drop from 32.4% to 5%. The healthcare and pharmaceutical sector saw the PPP drop to 4.1% in small organizations, 5.1% in mid-sized organizations, and 5.9% in large organizations. That equates to an 87% improvement in small healthcare and pharmaceutical organizations, an 86% improvement in mid-sized organizations, and an 87% improvement in large organizations.

“As with any significant change, it takes time to break old habits and create new ones, “explained KnowBe4 in the report. “Once these new habits are formed, however, they become the new normal, part of the organizational culture, and influence how others behave, especially new hires who look to others to see what is socially and culturally acceptable in the organization.”

KnowBe4 also pointed out that in order to favorably change overall security behaviors, security awareness training programs need to have a clearly defined and communicated mandate, a strong alignment with organizational security policies, an active connection to overall security culture, and full support of executives. “Without consistent and enthusiastic executive support, raising security awareness within an organization is certain to fail.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.