With Increased Cybersecurity Awareness, Why Does Phishing Still Work?
By Zac Amos, Features Editor, ReHack
With the costs of cyberattacks rising and the effects becoming more severe, many decision-makers realize cybersecurity awareness training must be an ongoing part of employee education. Many of the most successful and widely used attacks relate to phishing. They happen when a cybercriminal imitates another person or organization to gain information from a victim.
However, these attacks still happen even as workers sit through hours of training and go through realistic phishing simulations. Why is that the case?
- Cybersecurity Training Programs Are Not Sufficiently Effective
Adding cybersecurity training to employees’ schedules is not enough. The educational content they receive must also be actionable enough that they can apply it to their daily lives — whether at home or work. However, a 2023 Fortinet study suggests that’s not happening.
About 90% of leaders polled believed additional cybersecurity training for employees would reduce cyberattacks. Another 85% of respondents said they taught workers cybersecurity best practices. However, over 50% said employees still lacked knowledge in this area. That suggests aspects of the training make it less than maximally effective.
Company representatives in charge of training might improve it by digging into internal data to determine where shortcomings exist. Alternatively, they could gather information through quick, informal quizzes. How many employees can correctly identify phishing attack characteristics? What percentage know the best practices for creating and using passwords? Answering those questions can show trainers which areas to focus on in future sessions.
- Many Workers Juggle Numerous Responsibilities
People under constant pressure don’t have as much time and may not feel clear-headed enough to accurately judge what constitutes legitimate communication versus a phishing scam. That can compromise data integrity in more ways than phishing attacks.
A 2022 Tessian study revealed that more than two-fifths of respondents mentioned distraction and fatigue as their reasons for falling for phishing attacks. Another 52% said they were tricked by phishing attacks that impersonated a company executive. People who are tired and dealing with duties that pull their attention in all directions may be less likely to identify phishing attacks, even after getting the appropriate training.
However, the study also showed other things can compromise data security. For example, 40% of respondents sent emails to the wrong person and 29% said their companies lost customers or clients because of that mistake.
Training employees about data-handling procedures is as important as teaching them to recognize phishing attempts. One frequent suggestion is to minimize the number of people with access privileges. Many companies do that by setting security parameters so users can only see information directly related to their task or role.
- More Employees Use Personal Devices for Work
Many employers have started implementing bring-your-own-device (BYOD) policies. Doing that to handle some workplace tech needs has numerous advantages. Workers can use items they already know well, which could result in higher productivity and greater satisfaction. Plus, companies can reduce their hardware and software spending.
However, one BYOD downside is that employees may not update their devices as often as they should. Cybercriminals frequently exploit known vulnerabilities during their attacks. That could make personal devices used for work particularly useful targets for perpetrators.
A 2023 SlashNext study found 43% of employees experienced work-related phishing attacks on personal devices. It’s also problematic that 90% of security leaders identified protecting employees’ equipment as a top priority, but only 63% said they had the tools to do it adequately.
Another takeaway was that 50% of phishing attacks happen outside of email. Plus, 95% of the security leaders in the study identified phishing via private messaging apps as an increasing problem.
It becomes more difficult for IT teams to secure personal devices employees use for work. It’s harder to ensure the equipment has the most updated software and operating system versions.
- Cybersecurity Awareness Is Only Part of What’s Needed
A study published in 2023 by Zscaler ThreatLabz showed a 47.2% rise in phishing attacks for 2022 compared to the previous year. The researchers also found that cybercriminals deployed increasingly sophisticated attacks. That could mean the cybersecurity awareness training attendees receive must be more in-depth to prepare them for most potential attack methods.
Elsewhere, a 2022 study from The National Cybersecurity Alliance and CybSafe showed 58% of those who had cybersecurity training believed they were better prepared to recognize phishing and related attacks. Even so, 34% of that group still experienced at least one type of cybercrime.
Lisa Plaggemier, executive director of the National Cybersecurity Alliance, explained that these findings highlight how cybersecurity training is crucial for helping people protect their data. Still, it is only one component of what internet users must do to keep themselves and their devices safe. She said that since cybercriminals are becoming more aggressive and successful when targeting everyday users, there must be a total overhaul in what’s done to help people build cybersecurity practices into their lives.
Phishing Education Must Evolve as Cybercriminals’ Tactics Do
Teaching people to spot and avoid phishing attempts remains relevant and necessary. However, trainers, IT teams and others involved in such processes must not treat education as a static effort that happens once throughout someone’s time at a particular workplace.
Cybercriminals increasingly use newer and more advanced approaches to trick their potential victims. Cybersecurity training about phishing and other notable topics must also be updated. People must understand the importance of using best practices for online security whenever they use the internet — not just at work. When these things happen, phishing attacks should become less successful.
About the Author
Zac Amos is the Features Editor at ReHack, where he covers cybersecurity and the tech industry. For more of his content, follow him on Twitter or LinkedIn.