A recent Intermedia survey of more than 1,000 U.S. office workers found that 14 percent of respondents either don’t know what phishing is or aren’t confident in their ability to identify a phishing email, and 21 percent have fallen victim to a phishing attack.
Notably, 34 percent of phishing victims are company owners or executive management, and 25 percent are IT workers.
Intermedia vice president of security and privacy Ryan Barrett said in a statement that it’s no longer enough just to talk to employees about threats — that kind of education, he said, can actually lead to a false sense of security.
“Instead, companies need to offer regular interactive IT security trainings, simulate security incidents to help employees detect and prevent cyber attacks, and talk about the risks when big data breaches are in the news,” Barrett said.
Phishing Is the Best Strategy
Separately, a Bitglass survey of 129 hackers at Black Hat 2017 found that 59 percent of respondents said phishing is the best strategy for data exfiltration, with malware and ransomware ranking second at almost 27 percent.
“Phishing and malware are threats made all the more potent by cloud adoption and the ease with which employees can share corporate data,” Bitglass vice president of product management Mike Schuricht said in a staatement.
Respondents identified the top security blind spots as unmanaged devices (61 percent); outdated systems, applications and programs (55 percent); mobile devices (36 percent); data at rest in the cloud (26 percent); and traditional on-premises security (20 percent).
The least effective security tools, according to respondents, are password protection of documents (33 percent) and facial recognition (19 percent).
But Is Education a Waste of Time?
A separate Bromium survey of 500 CIOs in the U.S., U.K. and Germany found that fully 99 percent of respondents see end users as “the last line of defense” against hackers, and are spending an average of $290,033 per large enterprise on employee education in response.
“While end users are often the easiest target for hackers, the idea that they should be ‘the last line of defense’ for a business is simply ridiculous,” Bromium CTO Simon Crosby said in a statement. “The fact is, most employees are focused on getting their jobs done, and any training will go out the window if a deadline is looming.”
“Instead of wasting time on user education policies, protect your users,” Crosby suggested. “Let them click with confidence. If they get attacked, let it happen, but do so in a contained environment. By isolating applications in self-contained hardware-enforced environments, malware is completely trapped. Users are free to download attachments, browse websites and click on links without fear of causing a breach.”