Earlier this month, the Terranova Security Global Phishing Benchmark Report revealed some critical findings from the 2020 Gone Phishing Tournament™.
The Tournament, which saw employees from organizations across the globe participate in phishing simulations, showed that phishing email click rates were 9% higher in 2020 and that 13% of users submitted passwords on phishing webpages.
The data suggest that employees are even more susceptible to phishing attacks than they were in 2019 and that current approaches to security awareness training must include real-world phishing simulations for reliable detection.
This article will examine what the gone phishing tournament and why phishing simulations are vital to keeping your organization secure.
What is the Gone Phishing Tournament?
The Gone Phishing Tournament is an annual cyber security event organized by Terranova Security to mark National Cyber Security Awareness Month. The 2020 edition was co-sponsored by Microsoft.
During the event, employees from organizations across the globe participated in phishing simulations and tried to detect scam emails in real-time. The data collected throughout the event revealed that many employees weren’t able to identify phishing emails.
One of the most shocking finds was that 20% of employees still clicked on phishing email links, even if their organization had a security awareness or phishing training program in place.
Findings also showed that North Americans struggled the most, with a 25.5% click rate and an 18% overall credential submission rate, meaning that over 7 out of 10 clickers compromised their login data. In contrast, users in Europe exhibited lower click and submission rates of 17% and 11%, respectively.
Overall, the Gone Phishing Tournament showed that a substantial number of enterprises aren’t providing employees with adequate security awareness training, leaving them at risk of falling victim to the latest online phishing scams.
The Importance of Phishing Simulation Training
Phishing simulations are the most important tool that organizations have to help employees detect phishing attempts in real-world environments. Phishing awareness training enables cyber security leaders to:
1. Reduce threat and risk levels by a considerable margin
Phishing simulations show employees what real phishing scams look like, so they can spot them independently in their day-to-day work.
2. Increase organizational awareness of the latest scams
Deploying regular security awareness training initiatives and supporting those with simulation-based phishing awareness training increases organizational awareness of the latest scams. This knowledge base enables employees to safeguard data from opportunistic cyber criminals.
3. Minimize the costs associated with being victimized by a phishing attack
The greater the threat awareness level of your employees, the less chance there is that they will fall victim to a phishing attempt, reducing the risk of reputational damage, identity theft, and fraud.
4. Accurately measure individual and organizational vulnerability levels
Phishing simulation tools can assess an employee’s ability to detect phishing attempts and accurately measure the level of threat awareness across an entire organization.
5. Lessen the automatic trust response by changing user behavior
Completing a simulation shows employees that phishing scams are everywhere and illustrates why you can never take an email from an unknown sender for granted, even if it appears legitimate at first glance.
6. Provide employees with targeted feedback and just-in-time training
A phishing simulation will also provide you with specific feedback on improving the security habits of employees. For example, you can identify users who click through to phishing sites and provide extra support to help them become more security-conscious and verify links.
7. Improve user reporting and responses to phishing attempts
Giving employees the opportunity to interact with phishing scams provides them with valuable experience they can use to detect phishing attempts when they encounter them in a real-world circumstance.
8. Assign specific role-based phishing training for enhanced relevancy
Role-based phishing training provides guidance to employees in high-risk roles, so they know how to identify relevant threats, such as spear phishing attempts.
9. Protect confidential data, both personal and organizational
If employees can recognize the signs of a phishing scam, then they will be far less likely to hand over confidential personal and organizational information to fraudsters, reducing the chance of a data breach.
10. Create a cyber-secure culture made up of cyber heroes
Providing employees with educational phishing simulations as part of your cyber security awareness training helps employees learn valuable skills to stay safe online and promotes a cyber-secure culture throughout your organization.
How to Create Powerful Phishing Simulation Training Campaigns
There are several things cyber security leaders can do to build a phishing simulation training campaign:
1. Target the right user behaviors
Delve into your existing cyber security data and pinpoint patterns or specific actions that have led to data breaches. With this intel, you can target changes to address these vulnerabilities (such as clicking on malicious email links).
2. Create phishing simulations that address specific weaknesses
If your employees have had problems detecting phishing scams in the past, then create phishing simulations that address those found weaknesses. You can also up the difficulty level by adapting them for new scenarios to prepare users to counter emerging threats.
3. Collect real-time phishing simulation data
Collect real-time phishing simulation data to facilitate the assessment, maintenance, and refinement of your security awareness initiatives. This data helps you improve your organizational awareness over time.
4. Track and monitoring user progress
Continuously monitor user progress to measure the knowledge of your users and to assess the overall effectiveness of your security awareness training.
5. Deploy just-time training modules for instant feedback
Provide just-in-time training modules with instant feedback to ensure that employees have actionable information to increase their phishing detection rate.
6. Utilize customizable simulation templates
Use customizable simulation templates to tailor every aspect of the training process to help meet your unique cyber security goals and address the unique risk factors your organization faces.
7. Choose a scalable, inclusive and mobile responsive solution
Always opt for a training solution that’s inclusive, scalable, multilingual, accessible, and mobile responsive so that you can seamlessly support a global user base.
The Gone Phishing Tournament showed that many organizations aren’t quite ready to address the challenge of defending against online phishing threats. As phishing scams grow more sophisticated, the only way to consistently detect them is by supporting employees with a rigorous cyber security awareness program that includes phishing simulations.
The Latest Click Rate Benchmarking for Security Awareness Leaders
Get your complimentary copy of the 2020 report!