Proofpoint has released the results of a study that shows that on average, one out of 10 employees exposed to malicious links in email will click on one. Even best-in-breed companies' employees are still clicking more than 1% of the time.
And, social networking invitations (specifically LinkedIn invites) are twice as effective at persuading recipients to click than other types of email. Other top lures include other kinds of social networking communications, order confirmations and financial warnings.
Further, these threats are persistent: although most targeted users who click on malicious links within 24 hours, more than one in 15 people (roughly 7% of the users in the study) click on a phishing mail at least a month after it first appears in their inbox.
The report also found that staff clicks on malicious links twice as much as executives, and they tend to do it from their computers rather than mobile devices – 90% of total clicks on malicious URLs come from laptops and PCs. Meanwhile, 20% of those clicks happen when those computers are outside of the corporate firewall, on home or public networks.
The report also uncovered that receiving too few or too many malicious threats results in a higher user click-rate. After 100 malicious messages, odds of clicking level off at 60% likelihood.
"This research validates one of the important directions we've been taking with our enterprise security offerings, which is to provide not only protection, but also insight into how, when and where attacks are taking place," said Kevin Epstein, Proofpoint's vice president of advanced security and governance, in a statement. "The only real defense is one that acknowledges and plans for the fact that some threats will penetrate the perimeter. Someone always clicks, which means that threats will reach users.”
To combat the issue, having systems in place to gain quick insight into the details of an attack is important because it enables security teams to focus their efforts where they count and take immediate action.
"Having spent heavily on technical controls, it's disappointing to find that enterprises are still getting hacked and leaking data. CISOs are, therefore, spending more time considering the human aspects of security, as these are commonly the weak link," reads a February 2014 Forrester Research report. "75% of security decision-makers report that establishing or improving threat intelligence capabilities is a top priority for their organization."