Every organisation, regardless of size and vertical, is susceptible to phishing and social engineering without computer-based training.
This is among the findings of a new Phishing by Industry Benchmarking Report to measure an organisation’s phish-prone percentage (PPP), which indicates how many of their employees are likely to fall for a phishing or social engineering scam.
The benchmarking report was produced by KnowB4.
The initial baseline phishing test was administered to organizations that had not conducted any KnowBe4 security awareness training. The results indicated a high level of risk, with an average initial baseline PPP of 31,4% across all industries and sizes.
“In critical industries like Energy & Utilities and Healthcare & Pharmaceuticals where lives can be severely impacted, we found particularly high levels of cybersecurity risk as a result of simulated phishing test failures,” says Stu Sjouwerman, CEO of KnowBe4.
“This is deeply concerning. Organisations should monitor their risks due to the majority of data breaches originating from social engineering. This data shows us that implementing security awareness training with simulated phishing testing will help to better protect organizations against cyber-attacks.”
After 90 days of computer-based training and simulated phishing testing, the average PPP was reduced by approximately 50%, dropping from 31,4% to 16,4%. And after one year of monthly simulated phishing tests and regular training, the PPP further declines to just 4,8%.
Across all industries, there’s an average 84% improvement rate from baseline testing to 12 months of training and testing.