Security behavior change firm Hoxhunt has published its latest research highlighting employees' resilience in critical infrastructure, showing a higher engagement level in identifying and reporting phishing attempts.
Titled Human Cyber-Risk Report: Critical Infrastructure, the document investigates the human risk factor within the critical infrastructure sector, analyzing data from over 15 million phishing simulations and actual email attacks reported in 2022 by 1.6 million participants engaged in security behavior change programs.
Within the first year of participating in security behavior training programs, approximately two-thirds of critical infrastructure employees detected and reported at least one real malicious email attack.
Read more on similar attacks: Microsoft Warns of Increase in Business Email Compromise Attacks
The research also found that critical infrastructure employees exhibit a 20% higher threat detection behavior than the industry average. Their organizations reach the peak of threat detection rates at 10 months, outperforming the 12-month average seen in most other sectors.
"Behavior-based engagement with phishing emails is better than traditional security courses as it better prepares you to recognize an attack," explained Krishna Vishnubhotla, vice president of product strategy at Zimperium.
"It becomes second nature to report it, especially when it is artificial intelligence-generated adaptive learning."
Regarding phishing simulation success rates, critical infrastructure employees displayed a 61% higher rate than the global average after 12 months of training.
"Over the past several years, attacks on critical infrastructure have become all too common, leaving fuel pumps and store shelves empty," commented Mika Aalto, CEO and co-founder of Hoxhunt.
"In response, critical infrastructure organizations and their employees are exponentially more aware and cautious of malicious activity."
Despite their strong performance in most areas, the study also revealed a vulnerability within the critical infrastructure sector. Employees in this sector are more susceptible to spoofed internal organizational communications, with an 11.4% higher failure rate in such attacks than global averages.
"The nature of threats targeting critical infrastructure is likely to continue to evolve in line with technological advancements," warned Craig Jones, vice president of security operations at Ontinue.
"Moreover, the increasing value of data might lead to more targeted ransomware attacks that aim to extract or encrypt particularly valuable or sensitive information."
Some guidelines to help organizations defend against ransomware are available in this analysis published on June 9, 2023, by security writer Shigraf Aijaz.