Industries with the Lowest Risk Phish Response
Home / SafeTitan Security Awareness Training / Industries with the Lowest Risk Phish Response
Phishing causes enormous damage to an organization. Take, for instance, the ransomware attack on Colonial Pipeline in 2021. The company is responsible for supplying around 45% of fuel on the East Coast of the USA. A phishing email was the most likely initiating point of an attack chain that resulted in a $5 million ransom, over 100 gigabytes of data stolen, and a system-wide computer lockdown.
Companies that can protect themselves against phishing attacks are at an advantage, as phishing is the most common cyber-attack vector. However, some industries are more prone to the risk of phishing than others. A study from TitanHQ exploring the effectiveness of automated simulated phishing, "2023 Automated Phishing Simulation Success Report," captured the best and worst industries for phishing susceptibility. The report covered a year of metrics captured during regular phishing simulation exercises; TitanHQ analyzed the data to find out which industries are the most and least susceptible to phishing.
Here, TitanHQ explores those industries that are the least susceptible to phishing attacks and what organizations in those sectors are doing right.
The TitanHQ study used phishing simulation metrics to calculate Phish Vulnerable Percentage industry standards and SMSish Prone Risk (PVP and SPR). The companies with the lowest PVP scores were less likely to become victims of phishing-related attacks. Low phishing risk protects an organization from a host of damaging cyber-attacks, including the following:
Ransomware: Phishing is a commonly used vector to deliver ransomware or steal credentials that open the network to ransomware infection. In 2021, over three-quarters (78%) of organizations experienced an email-based ransomware attack.
Credential Theft: Stolen login credentials can lead to many cyber-incidents, including ransomware, data theft, IT damage, and data exposure. According to the Verizon Data Breach Investigation Report for 2023, 49% of cyber-attacks involve using stolen credentials.
Business Email Compromise (BEC): In 2020, the Puerto Rican government fell victim to a BEC scam. Rubén Rivera, finance director of Puerto Rico's Industrial Development Company, mistakenly transferred $2.6 million to a cybercriminal's bank account. This resulted from an email received by Rivera that asked for a payment to be made to a supplier's bank account, the email explaining that the bank details had recently changed. BEC scams typically have an element of phishing and social engineering that can be difficult to detect unless a person has been phishing trained.
Phishing metrics data were analyzed by TitanHQ and used to generate the report on automated phishing simulation success. The data generated PVP scores for industry type, company size, and geographic location. These PVP scores reflect the average per industry type and offer insight into how vulnerable phishing-specific sectors are. These average scores per industry provide a baseline for companies within that sector. This insight matters as it indicates how vulnerable an organization is to a successful cyber-attack.
The TitanHQ report covered ten industries. Each company within an industry sector was scored, and then the combined scores were used to build up a profile of phishing vulnerability per industry sector:
The ten industry sectors covered in the report are shown below:
Phishing simulation metrics were used to calculate the average PVP per sector. The metrics were collected from companies participating in automated phishing simulation exercises over 12 months. Regular fake phishing sessions were carried out to test employees' reactions to receiving a simulated phishing email. The platform used to train employees and generate metrics was SafeTitan simulated phishing. These metrics represent typical behaviors of an individual confronted by a phishing email. At the end of the study, the phish vulnerability score (PVP) was calculated for each of the ten industries. Here is a look at the top five sectors with the lowest risk profile for phishing vulnerability.
Out of the ten industry sectors tested for phishing vulnerability, the following came out as the riskiest:
The scores in brackets show the starting point for phishing vulnerability, i.e., the initial PVP. All five industry sectors were at low risk for phishing and less likely than other industries to be victims of a successful phishing incident. After 12 months of regular simulated phishing training, four of the low-risk industries continued to show improvement on already good PVP scores. Manufacturing came out best with a further 26% drop in PVP score to 4.01%.
Looking at the average scores across all the ten industries demonstrates the low risk of these industry sectors; at the start of the experiment, the average PVP score across the ten sectors was 11.03%; this was reduced to an average of 8.78% 12 months later. The average score for the five lowest-risk industries was 4.78%.
Compared to those industries with high phishing vulnerability scores, these low-risk industries stood out as having excellent PVP scores. Biotechnology is a case in point; the biotech sector had an initial PVP score of 32.33%, significantly higher than the lowest PVP scoring industry, manufacturing, at 3.98%. The low-risk industries also saw better PVP score reduction than high-risk industries over the 12 months of phishing training.
The question is, what are those industries with low phishing susceptibility doing that other industries are not?
Looking at the high and low phishing vulnerability scores across industries, the question must be, what are those with low phishing vulnerability doing right?
A PVP score offers insight into the effectiveness of simulated phishing training and how optimal it is over time. If a score is high and stays high, even after fake phishing training, the training itself must be assessed. Optimization of phishing simulation is critical in developing employee phishing training that works. Companies that continuously improve phishing vulnerability can use simulated phishing platforms effectively. Fake phishing training aims to decrease the PVP score as much as possible. The industries with low PVP scores and those that show improvement with regular phishing training sessions typically optimize training by applying the following:
Carry Out Regular Training Sessions: USENET studied the effect of regular phishing training sessions. The study found that initial training meant employees knew how to deal with phishing emails for around four months post-training. After six months, employees could not confidently identify phishing emails. This study shows that training must be carried out regularly to be effective. To ensure that the setting up, deployment, and tailoring of fake phishing training is seamless and efficient, use an automated simulated phishing platform like SafeTitan.
Be Transparent with Employees: A culture of security is one where everyone pulls together to stop cyber-attacks. However, some employees may feel that you are not trusting your staff by fake phishing them. When carrying out simulated phishing training, bring employees with you, explain what phishing simulations are about and the end goal, and get employee consent.
Tailor Training: Training must be relevant. Cybercriminals often tailor their phishing campaigns to target specific roles or events, such as the end of the tax year. Advanced phishing training platforms will provide various phishing templates to help create tailored fake phishing emails. Phishing simulators must also be behavior-driven so that phishing exercises are relevant to the user and reflect their reaction to phishing emails.
Real-Time Interventions: People often react differently to phishing emails. Real-time interventions during training ensure that relevant and tailored training reflects these different behaviors. Phishing simulation platforms, like SafeTitan, will provide real-time learning experiences, showing employees what would have happened if they carried out this behavior with an actual phishing email, for example, if they clicked on a malicious link. By having interactive training, an individual is more likely to understand what has and could happen and how to prevent this in a real-world phishing situation.
Capture Metrics: Gathering metrics, such as those used in the TitanHQ study, is essential to optimizing employee phishing training. These metrics calculate your organization's overall PVP to help improve reactions to phishing emails. Knowing your PVP will allow you to tailor phishing sessions more effectively and closely align them to roles and individual needs.
The five industries with the lowest vulnerability to phishing can offer inspiration and encouragement that phishing training works.
Read the complete Titan HQ study, "2023 Automated Phishing Simulation Success Report.”
Get access to TitanHQ's 2023 Automated Phishing Simulation Success Report Now.
Read The Report Now