A PhishMe survey of 250 information security professionals at last month's Black Hat conference has found that more than a quarter of respondents said privileged users in their organizations had been compromised by spear phishing attacks within the past year.
"Two out of three security professionals say that their staff are being phished relentlessly, throughout the working week as their anti-spam filters are unable to catch the messages," writes Business Computing World's Christian Harris. "Almost a quarter of the respondents said they see such messages in users’ mailboxes multiple times every day."
"Sadly, PhishMe's survey of Black Hat attendees indicates that most end users receive only the bare minimum of security awareness training," writes BetaNews' Patrick Roanhouse. "Nearly half (49 percent) of the professionals surveyed said their corporate network users receive training as much as only once a year. Even worse, nine percent said their organizations have no security training programs at all, sending untrained and usually very naive users to work as easy vectors of attack."
"Among organizations that do provide security training programs, many rely on scripted, delayed forms of instruction that do not provide metrics for program managers and administrators, the survey said," Infosecurity reports. "Three of the top four training methods listed by Black Hat attendees were recorded video/computer-based training (39.4 percent), paper tests/quizzes (32.9 percent), and handbooks/printed guides (28.5 percent). Only 16 percent of security professionals train their users via simulated attacks (where multiple responses are allowed)."
"This survey demonstrates with great clarity that phishing attacks -- particularly targeted attacks -- are getting through to end users with alarming regularity, yet most organizations don't train their users on what the most current attacks look like or how to react to them," PhishMe CTO and co-founder Aaron Higbee said in a statement. "If enterprises are going to protect themselves, they need a realistic, regular training regimen that helps users make the right decisions when they see a potential phishing attack -- passive security awareness that doesn't focus on tracking behavior modification is ineffective."