According to the FBI, phishing incidents doubled in frequency during 2020. The pandemic was boom time for cyber criminals, with nearly a quarter of a million phishing attempts reported in the USA alone.

What can companies do to protect themselves from such email-based cyber threats?

Unlike other cybercrime attack vectors, people are key to protecting your organisation from phishing attacks. This means staff education and awareness raising measures hold the key to your successful defence against them.

To understand why, let’s look at some of the facts around phishing.

Phishing remains the top threat action

A recent report compiled by US tech giant Verizon has found that phishing continues to be the top threat action in successful cyber breaches.

In 85% of breaches linked to social engineering, the cyber criminals successfully stole login credentials and other information targets.

Similarly, an earlier Mimecast survey about email-based attack vectors in 2021 showed that 60% of organisations were hit by attack that spread internally from an infected user to other employees.

Cyber criminals exploit trust in public sector organisations

Throughout the pandemic, many of us have turned to respected institutions like the NHS and HMRC for information and support.

Cyber criminals have been quick to understand this and, over the last 18 months, have been busy hijacking respected and trusted public sector brands.

HMRC has investigated more than 10,000 scam emails, SMS messages, social media posts and phone calls that have exploited its name.

The National Cyber Security Centre (NCSC) has taken down more than 15,000 malicious campaigns related to COVID-19.

And it isn’t just cyber criminals who have exploited the crisis. State-sponsored cyber threats have also been reported, with Russian malware targeting pharmaceutical companies and research organisations to steal valuable intellectual property.

Which industries are most at threat?

Cyber security awareness business KnowBe4 has introduced the concept of the “Phish-Prone Percentage” or PPP. A higher PPP indicates a greater risk, as it points to a higher number of employees typically falling for phishing scams.

To calculate each organisation’s PPP, the company measures the number of employees who clicked on a simulated phishing email link or opened a simulated infected attachment during a test spoof-phishing campaign.

Shockingly, it found that in 2021 the average phish-prone percentage across all industries and organisation sizes was 31.4%. This means nearly a third of staff are likely to click on a suspicious link or open a suspicious file.

The survey found that the organisational profiles at highest risk of falling victim to a phishing attack included: large energy and utility businesses; large insurance firms; large banks; mid-size energy and utility firms; large healthcare and pharmaceutical organisations.

KnowBe4 suggests the sudden shift to home working was particularly difficult for large businesses to manage and this accounts for the fact that larger businesses typically having a higher phish-prone percentage in this year’s findings.

What can you do to guard your organisation against phishing scams?

There are some technological solutions that can help to guard against phishing, including email security tools and email filtering rules.

However, when it comes to phishing, the best line of defence is definitely your people.

The KnowBe4 survey looked at organisations who undertook email security awareness training for staff and the effect this training had on their susceptibility to email-based cyber-attack.

It found that after just three months of security awareness training for staff, the average PPP score dropped from 31.4% to just 16.4%.

Just three months of training can almost half the risk.

The survey then looked at what happened if that email security awareness training programme was continued for a year. It found that after twelve months, the risk dropped from 31.4% to just 4.8%.

The effectiveness of training was demonstrated across all industry sizes and all verticals. It’s clear that training and reinforcement can have a huge impact on an organisation’s ability to protect itself against the most common type of cyber-attack.

It’s difficult to think of another area of cyber-security where such a small investment can have such a dramatic protective effect.

Next steps?

Read our blog about Mimecast’s 2021 survey on email security.

Or, if you have any questions about this article or about email security awareness training, please speak with our team: