Data Security

Training Cuts Phishing Success

• By Dian Schaffhauser
• 01/23/18

A new study by a security training company has found that even a few months of security awareness instruction can have a big impact on how well recipients respond to phishing attempts. In the education segment, specifically, KnowBe4 found that 27.16 percent of staff were "phishing-prone" — likely to open e-mails or click on files containing malware. After three months of training, the same people were 30 percent less likely to open such e-mail; and after a year, they were 88 percent less likely to do so.

KnowBe4 sells online training that's intended to help employees "make smarter security decisions." E-mail phishing, along with social engineering, is a common way for malware to make its way onto school networks.

For the recent study, the company drew from its database of 11,000 organizations, employing more than 6 million users. The phish-prone percentage was calculated by the number of people who clicked on a simulated phishing e-mail link or opened an infected attachment during a testing campaign that used the KnowBe4 platform. While the research project examined every type of business represented in its customer base, education fell right into the average of about 27 percent across all industries.

Small educational organizations — those with under 250 employees — were at the greatest risk, with phish-prone staffers making up 29 percent of all employees, compared to 26 percent of schools with 250 or more employees. After three months of computer-based training that used sample phishing e-mails, the smaller organizations saw the greatest gain, dropping to 17 percent vs. 20 percent for the larger entities. Following a full year of training and at least 10 phishing tests, in schools with fewer than 250 staff members, just 3 percent were likely to fall for a phishing test compared to 4 percent for their larger brethren.

KnowBe4's website includes a free tool that, with registration, allows IT organizations to run a phishing security test among employees, up to 100 users. Subscription pricing for the training service is based on a per-user, per-year basis.

"The new research uncovered some surprising and troubling results," said company CEO Stu Sjouwerman, in a press statement. "However, it also demonstrates the power of deploying new-school security awareness training by lowering a 27 percent Phish-prone result to just over 2 percent."