A survey of 250 IT professionals at the recent Black Hat USA conference found that a quarter had been compromised by spear phishing attacks within the last 12 months.
The survey at the conference found that most email recipients are not properly trained to recognise or safely react to phishing threats, with nearly half (49 per cent) of the respondents saying that their users receive training only once a year; while nine per cent said their organisations have no security training programs at all.
Of those that do receive training, only 16 per cent of security professionals train their users via simulated attacks, while two-thirds say that their staff are being phished relentlessly.
Scott Greaux, vice president of product management and services at PhishMe, who conducted the survey and offers a service that simulates phishing attacks to help train users on how to react to them, said that many enterprises believe that spam filtering tools or other email security technologies are keeping them safe from phishing attacks.
“What we found in our survey is that despite such filters, end-users are presented with live, malicious attacks in their inboxes nearly every day,” he said.
Aaron Higbee, CTO and co-founder of PhishMe, said: “This survey demonstrates with great clarity that phishing attacks – particularly targeted attacks – are getting through to end-users with alarming regularity, yet most organisations don't train their users on what the most current attacks look like or how to react to them.
“If enterprises are going to protect themselves, they need a realistic, regular training regimen that helps users make the right decisions when they see a potential phishing attack – passive security awareness that doesn't focus on tracking behaviour modification is ineffective.”
Speaking on a recent SC Magazine webcast titled Today's Top 10 Threats Unmasked, Bryan Littlefair, group technology security director at Vodafone Group, said that every employee needs to become a virtual part of the security team.
He also dismissed awareness campaigns that use ‘balloons and mousemats', saying that they are a thing of the past and that businesses need to work on information flows.
“Awareness and feeding the information and risks into the culture of the organisation is key, otherwise you are definitely going to have problems if people are not aware of the threats posed by phishing as they will click, it is just human nature,” he said.
Listen to the SC webcast by clicking here.