KnowBe4’s 2023 Phishing by Industry Benchmarking report was recently released! The report is a beefy 35 pages, but as Marco is a KnowBe4 partner, we can provide all of the highlights for you right here.
Which industries are doing well — and not so well — at training their employees? And more to the point, is yours on the naughty list? Time to find out…
Key Takeaways
KnowBe4’s report lists the Phish-Prone Percentage (PPP) of each industry and ranks their scores by size. In our summary, small refers to organizations with 249 employees or fewer. Medium refers to organizations with 250–999 employees, and large refers to organizations with over 1,000 employees.
The Good…Kinda
Below are the industries that have the lowest PPP in their size category:
- Small organizations — the legal industry (25.6%)
- Medium organizations — government (26.%)
- Large organizations — government (25.7%)
And here are some kudos to midsize hospitality organizations, which dropped their score from 39.4% to 28.5%. Nice work!
Unfortunately, their larger counterparts went the wrong direction — increasing from 20.4% in 2022 to 29.5% just a year later. Unfortunately, the hospitality industry remains an attractive target for cybercriminals because of the wealth of sensitive information they keep on file. The fact that their employees are often spread across the globe also adds to their vulnerability.
The Bad
Here are the industries that have the highest PPP in their size category:
- Small organizations — healthcare and pharmaceuticals (32.3%), retail and wholesale (31.5%), education (31.2%)
- Medium organizations — healthcare and pharmaceuticals (35.8%), energy and utilities (33.6%), construction (31.3%)
- Large organizations — insurance (53.2%), energy and utilities (51.1%), consulting (48.2%)
Banking (43%) and healthcare and pharmaceuticals (46.7%) also got a dishonorable mention among large organizations. And here’s some additional unpleasantness — the same large org. industries have had the worst scores for two years straight.
The Ugly
The industries with the lowest PPP scores shouldn’t exactly be breaking out the champagne. It only takes one click on a malicious link or one compromised email for a cybercriminal to do real damage. So while improvement is laudable — and perfection is unrealistic — all of these scores are still alarmingly high.
And then there’s this nugget — the report found that employees across all industries and organization sizes were actually more prone to phishing in 2023 than in 2022 by almost a full point. Currently, overall PPP scores are hovering at 33.2%. That means that every organization without robust security awareness training risks being exposed to social engineering and phishing scams by a third of their workforce.
The Effectiveness of Security Awareness Training for End Users
Why are the numbers so bad? Most people believe that they’re too smart to fall for phishing scams, and that overconfidence gets them into trouble. That, and other misconceptions about modern phishing scams tend to get smart people to do stupid things.
At Marco, we’ve been strong advocates of robust security awareness training for years to help educate employees on how to spot a phish. Ongoing training has proven to be remarkably effective. But you don’t have to take our word for it. Here’s what the 2023 report has to say:
33.2%Average baseline PPP across all industries/sizes |
18.5%Average PPP across all industries/sizes after 90 days of training |
5.4%Average PPP across all industries/sizes after a year of ongoing training |
82%Average improvement across all industries/sizes |
At this point, you might be wondering if your employees are as susceptible as this report would have you believe. And that brings us to our next point…
Simulated Phishing for Employees
Are your repeated reminders for your employees actually doing their job? Or would a cybercriminal be able to trick one of your accountants to share their login credentials?
Don’t underestimate them — modern phishing scammers often take advantage of cognitive biases to bait the hook.
If you don’t already know how your employees would perform, you’ll need to find out. In addition to assessing your current risk, getting a baseline test can also let you know if any future training is doing what it’s supposed to. Then, once an ongoing security awareness training program is in place, KnowBe4 (and Marco’s cybersecurity team) recommends simulated social engineering tests once a month to change stubborn habits.
New School Security Awareness Training
Not all security awareness training programs are that effective. If yours hasn’t had the desired outcome, there are a few common reasons why. Many programs fail to properly engage employees, and few programs allow employees to receive more targeted training that’s tailored to the attacks they are likely to face in their roles.
KnowBe4’s new-school security awareness, powered by AI, allows you to offer more relevant content for end users and increase engagement. And their simulated phishing tests are designed to enable your employees to recognize increasingly sophisticated attacks — without many of the dead giveaways like spelling or grammatical errors that characterized old-school phishing scams.
Here are a few promising new capabilities:
- Users can select additional training content based on their interests
- You can track end-user engagement and progress to help gauge interests in topics and preferences for future training programs
- Users can filter and search training recommendations by content type, topic, and keyword
Making Smart, Strategic Decisions About Security
We’re passionate about cybersecurity at Marco, but to be honest, we’re just as frustrated with cyberattacks on small to midsize businesses as you are. And we get that most organizations don’t have unlimited resources to throw at this problem.
If you’re wondering where you should invest now and what can safely wait, we can help! Our cybersecurity assessments are designed to help organizations identify their biggest vulnerabilities, and make recommendations accordingly. These assessments aren’t just scans performed from afar; we’ll conduct a thorough investigation of your processes, your tools, your configurations, and more to make sure we’re giving you solid information that can demystify cybersecurity protocols and simplify your decision-making for years to come.