New research has found over 1 in 3 UK&I workers are likely to click a phishing link, according to KnowBe4’s 2023 Phishing by Industry Benchmarking Report. The report measures an organisation’s Phish-prone™ Percentage (PPP), which shows the likelihood employees will be duped by phishing or a social engineering scam.
The overall baseline for 2023, which tested an employee’s susceptibility to an initial baseline simulated phishing security test rose 5.2% from 30% in 2022, with the biggest contributor to this increase being large enterprises, with over 1,000 employees, which rose from 32.7% to nearly 40%.
KnowBe4 analysed a data set of over 12.5 million users, across 35,681 organisations, with over 32.1 million simulated phishing security tests across 19 different industries and seven geographic regions. The resulting baseline “Phish-prone™ Percentage (PPP)” measured the percentage of employees in organisations that had not conducted any KnowBe4 security training, who clicked a simulated phishing email link or opened an infected attachment during testing.
Geographically, users in the UK&I had an average baseline of 35.2%, which was only worsened by South America workers who had a baseline of 41.1%. However, after completing a mixture of security awareness training and simulated phishing security tests for 90 days, the average PPP reduced to 17.8% for UK&I workers. After twelve months, it dropped to 5.8%, proving the value of security training in improving user security awareness and the overall security culture for the organisation.
In 2020, £3.7 billion ($4.6 billion) was reportedly
lost due to cyber-enabled fraud in the UK&I, with ransomware, which is distributed commonly through social engineering techniques like phishing, continuing to plague organisations. Globally, almost a quarter
(24%) of all data breaches in 2023 are a direct result of ransomware, with human error attributing to 74% of the incidences suffered. Having examined the overall PPP across all organisations, it is clear to see why security awareness needs to be improved and the importance of simulated phishing tests.
“This report serves as a timely reminder of the ongoing threat posed by phishing attacks, which remain a highly effective and prevalent means of targeting individuals and organisations alike,” said Javvad Malik, lead security awareness advocate at KnowBe4. “Such attacks can often lead to significant reputational damage, financial loss and disruption to business operations. Moreover, it highlights the critical importance of developing and implementing a robust, multi-layered phishing defence strategy, which includes regular employee training and education, as well as the implementation of advanced threat detection and prevention technologies.”