Training Cuts Phishing Success

A new study by a security training company has found that even a few months of security awareness instruction can have a big impact on how well recipients respond to phishing attempts. In the education segment, specifically, KnowBe4 found that 27.16 percent of staff were "phishing-prone" — likely to open e-mails or click on files containing malware. After three months of training, the same people were 30 percent less likely to open such e-mail; and after a year, they were 88 percent less likely to do so.

KnowBe4 sells online training that's intended to help employees "make smarter security decisions." E-mail phishing, along with social engineering, is a common way for malware to make its way onto school networks.

For the recent study, the company drew from its database of 11,000 organizations, employing more than 6 million users. The phish-prone percentage was calculated by the number of people who clicked on a simulated phishing e-mail link or opened an infected attachment during a testing campaign that used the KnowBe4 platform. While the research project examined every type of business represented in its customer base, education fell right into the average of about 27 percent across all industries.

Small educational organizations — those with under 250 employees — were at the greatest risk, with phish-prone staffers making up 29 percent of all employees, compared to 26 percent of schools with 250 or more employees. After three months of computer-based training that used sample phishing e-mails, the smaller organizations saw the greatest gain, dropping to 17 percent vs. 20 percent for the larger entities. Following a full year of training and at least 10 phishing tests, in schools with fewer than 250 staff members, just 3 percent were likely to fall for a phishing test compared to 4 percent for their larger brethren.

KnowBe4's website includes a free tool that, with registration, allows IT organizations to run a phishing security test among employees, up to 100 users. Subscription pricing for the training service is based on a per-user, per-year basis.

"The new research uncovered some surprising and troubling results," said company CEO Stu Sjouwerman, in a press statement. "However, it also demonstrates the power of deploying new-school security awareness training by lowering a 27 percent Phish-prone result to just over 2 percent."

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • glowing digital brain above a chessboard with data charts and flowcharts

    Why AI Strategy Matters (and Why Not Having One Is Risky)

    If your institution hasn't started developing an AI strategy, you are likely putting yourself and your stakeholders at risk, particularly when it comes to ethical use, responsible pedagogical and data practices, and innovative exploration.

  • laptop screen with a video play icon, surrounded by parts of notebooks, pens, and a water bottle on a student desk

    New AI Tool Generates Video Explanations Based on Course Materials

    AI-powered studying and learning platform Studyfetch has launched Imagine Explainers, a new video creator that utilizes artificial intelligence to generate 10- to 60-minute explainer videos for any topic.

  • cloud and circuit patterns with AI stamp

    Cloud Management Startup Launches Infrastructure Intelligence Tool

    A new AI-powered infrastructure intelligence tool from cloud management startup env0 aims to turn the fog of sprawling, enterprise-scale deployments into crisp, queryable insight, minus the spreadsheets, scripts, and late-night Slack threads.

  • Stylized illustration showing cybersecurity elements like shields, padlocks, and secure cloud icons on a neutral, minimalist digital background

    Microsoft Announces Security Advancements

    Microsoft has announced major security advancements across its product portfolio and practices. The work is part of its Secure Future Initiative (SFI), a multiyear cybersecurity transformation the company calls the largest engineering project in company history.