This post will summarize the key findings from KnowBe4’s 2024 Phishing by Industry Benchmarking Report. This report highlights the continuing severity of phishing attacks and underscores the importance of robust security awareness training as a critical defense strategy.

AI generated podcast, if you prefer to listen to this content:

The report uses a metric known as the Phish-prone Percentage (PPP). This measures the percentage of employees within an organization who are susceptible to falling for phishing scams. A high PPP indicates a larger number of employees who are vulnerable to these attacks, thus indicating a greater risk of a potential breach. A low PPP demonstrates that the organization’s workforce has strong security awareness and can effectively identify and thwart phishing attempts.

Key Findings of the Report

• Untrained employees pose a significant security risk. The report found that, on average, 34.3% of untrained users across various industries and organizational sizes would likely fail a phishing test. This means approximately one-third of employees are prone to interacting with malicious content, potentially jeopardizing their organization’s security.
• Consistent and comprehensive security awareness training leads to dramatic improvements. The report emphasizes that consistent security awareness training, combined with regular simulated phishing tests, can substantially reduce an organization’s PPP. Organizations that implement such training programs see their average PPP drop to 18.9% within 90 days, and to 4.6% after one year or more of training. This demonstrates a dramatic improvement in employee preparedness against phishing attacks.
• Specific industries exhibit consistently high-risk levels. For the third consecutive year, several industries in the large organization category (1,000+ employees) had PPPs exceeding 40% even after baseline assessments: Banking (42.3%), Consulting (47%), Energy & Utilities (47.8%), Financial Services (41.6%), Healthcare & Pharmaceuticals (51.4%), Insurance (48.8%), and Retail & Wholesale (42.4%). The Healthcare & Pharmaceuticals industry was among the highest risk industries in all organization sizes. These sectors are often targeted due to their handling of sensitive data and the potential for disruption of critical services.
• Investing in the human layer of security is crucial. The report stresses that organizations must go beyond mere compliance training and adopt a proactive, comprehensive security awareness strategy that includes:
  • Continuous education.
  • Regular testing and reinforcement.
  • Cultivating a security-conscious culture where employees understand the importance of safeguarding their digital environments both at work and in their personal lives.

Recommendations for a Strong Security Posture

The report concludes with recommendations for security leaders, emphasizing the following key aspects:

• Defined Mandate: Establish and clearly communicate the purpose and goals of your security awareness program.
• Policy Alignment: Ensure your program is in line with your organizational security policies.
• Culture Integration: Actively connect your security awareness initiatives with your overall security culture to strengthen the human layer of defense.
• Executive Support: Secure full support from executives for your security awareness program.

To successfully implement these recommendations, security and risk management leaders can consider the following actions:

• Fostering a Security Culture: Cultivate a workplace environment that prioritizes security, where employees are encouraged to be vigilant and report suspicious activity.
• Strategic Hiring: Recruit individuals with a strong security mindset who can contribute to building a security-conscious culture.
• “Culture Carrier” Program: Establish a program where designated employees act as security champions, promoting awareness and best practices within their teams.
• Ongoing Simulated Phishing Tests: Conduct regular phishing simulations to reinforce training and assess employee preparedness.
• Increased Frequency: Increase the frequency of training and testing to maintain security awareness as a top priority.
• Leadership Role Modeling: Encourage executives and leaders to demonstrate a commitment to security best practices, setting a positive example for the organization.
• Clearly Defined Objectives: Outline specific goals for your security awareness program and track progress toward achieving them.
• Engaging Professionals: Consider partnering with experienced security awareness training providers to leverage their expertise and resources.
• Effective Measurement: Implement metrics to track the effectiveness of your program, measuring key indicators like PPP reduction and employee engagement.
• Marketing-Inspired Approach: Adopt a marketing mindset to create engaging and impactful security awareness campaigns that resonate with employees.
• Employee Motivation: Motivate employees to actively participate in security awareness initiatives by recognizing and rewarding positive security behaviors.

By implementing these steps, organizations can build a strong human firewall and empower their employees to play an active role in protecting their organization against the evolving threat landscape.