Focus on Trends You Can Control
Ultimately, the actions and strategies attackers take are out of your control. You cannot make them send fewer phishing attacks, and you cannot stop them from creating new malware variants. What you can control is the emphasis you put on managing end-user risk. It’s important to recognize that, even outside of phishing, there are risky behaviors in play that magnify your susceptibility to data loss — sensitive files that are left unencrypted, poor password management, known vulnerabilities that go unpatched, etc.
To that end, we saw some significantly positive trends in this year’s State of the Phish Report:
- 72% of infosec professionals said they assess the risk that end users pose to their organizations, a dramatic 64% increase year over year.
- More organizations are measuring their susceptibility to phishing (66% this year vs. 63% last year).
- Significantly fewer out-of-date end-user plug-ins were detected by our ThreatSim® simulated phishing tool, with an average year-over-year reduction of 57% across Adobe PDF, Adobe Flash, Microsoft Silverlight, and Java software.
- 52% of infosec professionals said they have been able to quantify a reduction in phishing susceptibility based on their anti-phishing training activities (a 40% increase from our 2016 report).
While it’s certainly important to stay on top of the latest news and threats and work to address those that affect your business, it’s critical that you prioritize risk management over risk elimination. Consistent, action-oriented advice and education — in the form of a structured, thoughtful security awareness and training program — will help your end users gain the knowledge they need to become cybersecurity advocates within your organization.