Phishing Scam: Why Employee Training is So Worth It
Social engineering scams have become a huge concern in the workplace – with phishing scams leading the way.
What is a phishing scam?
Typically, a victim gets an email message that appears to have been sent by a known and trusted person or organization. The email tries to manipulate the user with threats, fear, and a sense of urgency to open an attachment or click on a link that may install malware or lead to a malicious website set up to get personal and financial information.
According to the 2015 Data Breach Investigations Report by Verizon, 70% of cyber attacks today use a combination of phishing and hacking techniques. On average, 23% of recipients open phishing emails, and 11% click on the attachments.
Because a phishing scam preys on human curiosity and vulnerability, there has been a push for more employee training in the workplace. Here are reasons why phishing training is worth the cost.
- First line of defense. Users should be considered the first line of defense in any security infrastructure, according to a 2015 Osterman White Paper on phishing – and a robust training program will heighten users’ sensitivity to phishing attempts. Furthermore, the recent Cost of Phishing and Value of Employee Training survey by Ponemon showed that employees who have undergone security training and understand phishing scam are far less likely to fall victim to an attack.
- Best practices. Training staff on security policy ranked 4th in helping to secure an organization’s infrastructure in the latest workforce study by the International Information System Security Certification Consortium (ISC)². For example, users should know how to carefully screen their electronic communications for phishing, and they shouldn’t open emails from unknown - and therefore, not trusted, sources.
- It’s the law. Regulatory compliance mandates some form of security awareness training for all employees.
- Solid backup for IT. While anti-virus, anti-spyware and anti-malware applications should be maintained and fully patched, trained employees are less likely to engage with any dodgy email messages. Practical user education is a good solution because phishing scams, for the most part, target individuals.
- Security team support. “Every single phishing email that a person falls for ends up being a cost to the organization to go out and clean up the machine,” said Joe Ferrara of Wombat Security, which partnered with Ponemon on the cost of phishing study. A trained workforce means security team members can focus on safeguarding.
- Cost savings. The Ponemon study estimated that the total annual cost of phishing for the average-sized organization is $3.77 million. Ponemon also showed that the most effective anti-phishing training programs "had a 37% fold return on investment".
- Productivity. The majority of phishing costs are caused by loss of employee productivity with 48% of total organizational costs pertaining to employee productivity losses caused by successful phishing during the workday. Ponemon found that employees waste an average of 4.16 hours annually due to phishing scams.
Don't fall victim to a phishing scam. Our Identity Theft whitepaper outlines threats such as phishing scams and ways to reduce your risks.