HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Study Highlights Seriousness of Phishing Threat and Importance of Security Awareness Training

A new study has revealed the extent to which employees are being fooled by phishing emails and how despite the risk of a data breaches and regulatory fines, many companies are not providing security awareness training to their employees.

For the study, 500 office workers were surveyed by the consultancy firm Censuswide. While all the respondents were based in Ireland, the results of the survey reflect the findings of similar studies conducted in other countries, including the United States.

14% of all surveyed office workers said that they had fallen for a phishing email, which would equate to around 185,000 office workers in Ireland.

There were notable differences in susceptibility to phishing emails across the different age groups: Millennials, generation X, and baby boomers. The age group most likely to be fooled by phishing scams was millennials (17%), followed by baby boomers (7%), and Generation X (6%).

Respondents were asked about how confident they were in their ability to identify phishing scams. Even though almost three times as many millennials had fallen for phishing scams as Generation Xers, millennials had the greatest confidence in their ability to identify phishing scams. That confidence, it would seem, has been somewhat misplaced.

14% of millennials said they would not be certain that they could identify fraud, compared to 17% of Gen Xers, and 26% of baby boomers.

The survey revealed one in five workers had not been given any security awareness training whatsoever, but even when training was provided, many office workers still engaged in unsafe practices such as clicking hyperlinks or opening email attachments in messages from unknown senders. 44% of baby boomers admitted having completed one of those actions in the past, compared with 34% of millennials, and 26% of gen Xers.

The consequences of a successful phishing attack can be severe. Phishing attacks can result in major financial loses, especially when financial information is stolen. Phishing attacks can cause lasting damage to the reputation of a company, business may be lost, and companies can face lawsuits from individuals whose personal information has been exposed or stolen, and regulators can issue substantial civil monetary penalties.

While security solutions can be implemented to block the majority of phishing emails, it is not possible to prevent all phishing emails from being delivered to inboxes. Security awareness training for everyone in the company, from the CEO down, is therefore essential.

Security awareness training needs to be thought of in the same way as health and safety training. It is an organizational and HR matter, not just the responsibility of the IT department.

Simply providing an annual training session for employees is no longer sufficient. Phishing attacks are becoming more sophisticated and cybercriminals are constantly changing tactics. Businesses therefore need to continually educate their employees to ensure training is not forgotten and to keep employees abreast of the latest phishing news and tactics.

Annual or biannual training sessions should be accompanied by regular refresher training sessions to help develop a security culture. Phishing email simulations are also useful for reinforcing training, gauging the effectiveness of training sessions, and identifying weak links.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.