The ignorance of most UK office workers about phishing, one of the most lethal forms of cyber threat, has been revealed in a new study which shows almost a quarter of people don't know what it is. Another worrying statistic is that nearly a fifth of UK companies provide no training at all to help staff understand security threats.
The survey of around 1,000 people, which was conducted by One Poll on behalf of vendor company PhishMe, shows that nearly 9 per cent of respondents thought phishing was ‘a new social media tool' while another 14 per cent simply did not know what it is.
Phishing – where cyber criminals use a spoof email to trick the recipient into clicking onto a fake link or opening a dangerous attachment – has been used in many recent successful cyber crimes, even among tech-savvy companies. Earlier this month Microsoft had a number of its blogs and Twitter accounts hacked by the Syrian Electronic Army via a phishing attack.
According to the survey, almost half the respondents estimate they receive between one and four phishing emails a day, while around 16 per cent admit to having been tricked by a phishing email – a problem compounded by the fact that just under 20 per cent of the UK organisations questioned provide no cyber security training.
Commenting on the findings, Amar Singh, chair of the UK Security Advisory Group at global cyber security user group ISACA, said they show that ‘the human' remains one of the biggest challenges in cyber resilience response.
“Phishing and spear-phishing (targeted phishing) will continue to remain a serious threat and as more people embrace smart devices, this threat and its impact is only going to increase,” Singh told SCMagazineUK.com.
“A simple message, like “think before you click” or “think before you share” could save an organisation an embarrassing data leak and, consequently, its brand reputation.”
Asked if the finding on lack of security training was surprising, PhishMe CEO Rohyt Belani told SCMagazineUK.com:
“It's not surprising to see a significant percentage of organisations not providing security awareness training. The traditional approach to security awareness has been largely ineffective, which has led those organisations to abandon the practice. However, more and more security practitioners are discovering new methods that effectively train users and focus on measurable behaviour change; the trend is most definitely reversing."
Belani explained: "Improving staff security awareness requires a new approach that delivers training in an immersive manner. Sending simulating phishing attacks that provide instant, bite-sized feedback in an engaging format when the recipient enters sensitive information, clicks on a link or opens an attachment, is an effective way to positively impact employee behaviour.
“Measuring the results of each exercise, and refining future exercises based on the results, allows you to repeat the process while also providing fresh content. Repetition reinforces good habits, and makes security part of your organisational culture.”
Singh, meanwhile, added that most companies can do a lot by simply educating their employees on security basics.
“Not many a battle will be won if you do not have your employees, your privileged employees, aware of the dangers of things like over-sharing, unnecessary tweeting and sharing passwords,” said Singh.
“Organisations need to address an employee's personal cyber space and offer help and information on how they can protect their personal cyber space. This approach would benefit both the organisation and the employee.”