Two out of three infosec professionals said that their staff is being phished relentlessly, and their anti-spam filters are unable to catch the messages. Almost a quarter of the respondents said they see such messages in users’ mailboxes multiple times every day.
For the survey, PhishMe, which provides anti-spearphishing training, polled 250 infosec professionals at the Black Hat USA conference in Las Vegas last month.
The survey found that most end users receive only a minimum of information security awareness training. Nearly half (49%) of the respondents said their end users receive training only once a year; 9% said their organizations have no security training programs at all.
Among organizations that do provide security training programs, many rely on scripted, delayed forms of instruction that do not provide metrics for program managers and administrators, the survey said.
Three of the top four training methods listed by Black Hat attendees were recorded video/computer-based training (39.4%), paper tests/quizzes (32.9%), and handbooks/printed guides (28.5%). Only 16% of security professionals train their users via simulated attacks (where multiple responses are allowed).
“This survey demonstrates with great clarity that phishing attacks – particularly targeted attacks – are getting through to end users with alarming regularity, yet most organizations don’t train their users on what the most current attacks look like or how to react to them”, said Aaron Higbee, chief technology officer and co-founder of PhishMe.