The famous line goes, ‘To err is human; to forgive, divine.’ However, a more fitting line from Alexander Pope’s poem might be, ‘All seems infected that th’ infected spy.’ In the world of cybersecurity, the infection is phishing, and no one is immune. Last week, we reported on an Arctic Wolf report revealing a striking disconnect: 80% of IT and security professionals expressed high confidence in their organization’s ability to resist phishing attacks, yet 64% admitted to having fallen for phishing scams themselves. This paradox dovetails neatly with the latest phishing trends found in recent reports, which underscore the escalating vulnerabilities in cybersecurity, particularly within the human layer of defense.
The “2024 Phishing by Industry Benchmarking Report” from KnowBe4 highlights the growing susceptibility of employees across industries to phishing attacks and emphasizes the critical need for ongoing security awareness training. These phishing trends shed light on a sobering reality: despite advancements in technical defenses, the human element remains the most exploitable entry point for cybercriminals.
Our takeaways follow; you can get the whole report here.
Key Findings:
Phish-Prone Percentage (PPP):
The “Phish-Prone Percentage” (PPP) is at the heart of the report, a metric that measures the percentage of employees likely to fall for phishing scams. In 2024, the average PPP across all industries stood at 34.3%, up slightly from 2023. This indicates that despite improved technology, employees remain highly susceptible to social engineering attacks. Those without cybersecurity awareness training are particularly vulnerable.
Industry Vulnerability:
Healthcare and Pharmaceuticals top the list of industries most vulnerable to phishing, according to the phishing trends report, with a PPP of 51.4% for large organizations (1,000+ employees). Other sectors, including Insurance (48.8%) and Energy & Utilities (47.8%), also rank high in susceptibility. With their large databases of sensitive information, these industries are prime targets for cybercriminals.
Training’s Impact:
The report offers a clear solution: comprehensive, ongoing security training. Organizations that implemented security awareness programs saw significant improvements, with the average PPP dropping by almost 50% to 18.9% after just 90 days of training. After a full year of continued training, this figure plummeted to just 4.6%, underscoring the power of regular education in reducing phishing risks.
Regional Variations:
The report highlights geographic disparities in vulnerability, noting regional phishing trends. The Asia-Pacific region, for example, bore the brunt of global cybersecurity incidents, accounting for 23% of attacks. North America and Europe followed closely, reflecting the global scope of phishing threats.
A Pressing Threat to Manufacturing:
According to the report and the accompanying press release, the manufacturing industry is especially vulnerable, accounting for 25% of all cyber incidents across the top 10 industries. Manufacturing’s interconnected nature, reliance on operational uptime, and high value of intellectual property make it an attractive target. Phishing remains the primary attack vector, often followed by exploiting public-facing applications.
The manufacturing sector has also seen a dramatic 266% increase in malware designed to steal sensitive information like login credentials and banking details. Meanwhile, ransomware attacks, especially those involving extortion, have risen by 56%, with the average ransom payment reaching $2.4 million, an 88% increase from last year.
Human Weaknesses Exposed:
While cyber defenses have become more sophisticated, the report makes clear that the human layer remains the Achilles’ heel. Untrained or inadequately prepared employees are the weakest link in an organization’s cybersecurity posture. In companies with more than 1,000 employees and no security training, the PPP is a staggering 37.5%, meaning nearly four out of every 10 employees could fall victim to phishing attacks.
The report emphasizes that instead of viewing employees as inherent vulnerabilities, organizations should empower them as active participants in their cyber defense strategy. Comprehensive security awareness training is no longer optional but essential for safeguarding businesses against increasingly sophisticated threats. Recent phishing trends highlight the necessity of this approach.
Conclusion:
The “2024 Phishing by Industry Benchmarking Report” is a wake-up call for organizations across all sectors. It highlights the persistent and evolving risks posed by cybercriminals and underscores the importance of focusing on technology and the human element of security. With phishing attacks growing in volume and complexity, organizations prioritizing ongoing security training and fostering a cybersecurity awareness culture will be best equipped to protect their data and operations in today’s digital landscape. Track the latest phishing trends to stay ahead of new threats.
Other News: The Role of Human Error in Cybersecurity Failures and How to Mitigate It(Opens in a new browser tab).
Other News: Taiwan records over 50 DDoS cyberattacks in September.