They had some interesting findings on gender (doesn’t matter) and age (young and older employees seemed more likely), but this is one that I think impacts a lot of what we do when it comes to protecting against phishing:
An interesting finding in the ETH study is that employees who are continuously exposed to phishing eventually fall for it, as 32.1% of the study participants clicked on at least one dangerous link or attachment.
They go on to point out the importance of having a tool that blocks most attempts, and clearly, that becomes important if we know that our users are going to eventually fall victim to it. On the other hand, if we know that there’s an increased likelihood of a bad action the more phishing emails come in we need to also accept that the attackers are seeing this too and will be amping up the volume of emails. We also need to consider this when we talk about training in addition to our defense.
How do we keep the resilience up among our users so that they don’t get lazy as more and more phishing attempts come at them? Clearly, what we are doing is not getting the desired results, so what can we do differently? Does once-a-year training facilitate this? Do we need shorter, more frequent, training and reminders? Do we need to spend a bit more time doing due diligence on user activities?
How do we make sure security awareness is an everyday activity instead of something we focus on occasionally, in between doing our job?
These are not easy questions, but given these results, maybe we should be talking about it.