Data Analysis Surprise: Least Expected Organization Groups Fall Victim to Phishing Attacks
- 128 companies
- 126K phishing emails sent
MeasurementsUsing the Keepnet Labs Phishing Simulator module, each employee who received a phishing email was tracked and placed into 3 groups:
- Group 1: Employees who opened the malicious emails
- Group 2: Employees who clicked the links and a malicious attachment in the emails
- Group 3: Employees who entered and submitted their information to the fake website
Sorting the Employees into "Failure Profiles"
Group 2Some employees fell under more than one group:
Groups 1 and 2
Groups 2 and 3
Groups 1, 2, and 3
AnalysisThe study then looked at the correlation between business departments and failure profiles:
ResultsWhen results are filtered by business departments such as sales, marketing, IT, and R&D, we can see variations in employee behavior.Viewing the data by failure profiles, as well as by business departments, reveals that the proverbial champions of email security are the worst offenders.The likeliest victims were employees in the research and development, management, and legal departments.
22.5% shared informationResearch & Development took the top position by leading in both of the most dangerous categories:
17.5% opened attachmentsLegal snags the coveted "highest percentage in any group" accolade and stays "competitive" with second place in another group:
51.5% opened the emails
33.3% clicked on links
Other Striking Findings:
- Marketing department employees were the most cyber-aware.
- 30% or more of all types of employees opened malicious emails.
- Excluding the employees in marketing, over 23% of all employees clicked on links in malicious emails.
- By unsuspectingly giving away highly sensitive information 22% of the time on average, and opening 14% of malware attachments on average, R&D and quality control employees helped attackers circumvent their organizations’ technological defenses once in every five email-borne attacks.
Who should not have appeared in these charts at all?You may agree that non-technical employees such as upper management often see the IT department as the last line of defense, as it is populated by overly-protective, always-paranoid technicians. The expectation is that they are well aware of the risks and know what to do concerning cyber security. Finding that IT personnel opened 48.4% of malicious emails and that 28.9% of them clicked on a link in those emails is surprising, unnerving, and dismaying to the rest of us ordinary folk, let alone management.
ConclusionResults from over 126,000 individual emails, evaluated in sanctioned phishing tests in 2017 from Keepnet Labs customers around the world, revealed that 48.2% of phishing messages were opened by employees. Moreover, 31.5% of employees clicked the malicious attachment or link, and 7.9% submitted their credentials to the fake web site.The types of employees who failed to notice threats included key personnel who must understand the nature of the danger to security and how to avoid these threats. They are expected to be more attentive and vigilant concerning cyber security. It is an unpleasant surprise that IT personnel appear in groups that suggest the most destructive breaches in security.Creating cyber security awareness and helping change employee behavior is vital. Skill development exercises, such as those with the Keepnet Labs Phishing Simulator, and tools that invite employee engagement in cyber defenses, such as Keepnet Labs Incident Responder, are essential for establishing and maintaining employee awareness, buy-in, and commitment to preventing cyber attacks.As a Cybrary member, you get up to 500 trial licenses to utilize the resources of Keepnet Labs!Gain access to our most popular modules: Email Threat Simulator, Incident Responder, Phishing Simulator, and Awareness Educator.Discover and prevent your organization's human and technology vulnerabilities.Visit https://www.keepnetlabs.com/cybrary/1 https://www.cso.com.au/article/641021/state-cyber-security-2018-why-legacy-defences-won-t-keep-pace-new-ransomware-cryptojacking-threats/2 https://www.united-security-providers.com/blog/top-5-cyber-security-risks-for-companies/
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!