Phishing attacks are an evolving cyber risk for companies and can easily catch staff unawares. Being prepared for an attack and knowing what to spot is absolutely vital to stopping phishing attempts from succeeding. Can phishing awareness training help small to midsize enterprises (SMEs) stem that tide?
In this article
As we saw in GetApp’s first look into our 2023 Phishing Attacks Survey data, these cyber incidents are very much on the rise. Furthermore, this comes at a time when some companies are in fact scaling back the protection in their firms.
A cyber security report published by the UK Government in April 2023 observed a drop in security controls, such as malware protection and restricted admin rights on devices, used by small to midsize enterprises. This raises many questions about the level of security awareness in small companies and the security measures they employ.
GetApp investigated by asking the sample of 349 employees and 215 senior managers, executive managers, and owners what measures their companies take to guard against phishing. Given the government findings, we were interested to see the level of protection that companies currently have in place and if they plan on expanding or contracting the level of protection in place.
Just over three in four surveyed have phishing awareness training in their firms
There’s no doubt that phishing is getting harder to spot. As we covered in part one, over 80% of UK senior managers said they thought messages were becoming harder to detect, which emphasizes the importance of phishing training for employees.
Phishing awareness training is one way to counteract the risks posed by phishing. This can take the form of sharing the most up-to-date information on how attacks could manifest, conducting simulation exercises, teaching appropriate responses, and testing employees on their knowledge of cyberattacks and phishing.
This type of training can do much to protect firms from phishing emails and other messages. Is this something companies generally use to secure themselves against attacks?
In general, we found it is already widely used by UK companies. Over three-quarters (77%) of our entire sample say their company has implemented phishing awareness training.
How is phishing awareness training provided?
The way the training is presented in firms takes a number of different forms, encompassing multimedia, written documentation, and talks on how to avoid phishing. Amongst our sample who said their company had phishing awareness training, we observed that the following solutions were most popular:
- Videos explaining phishing attacks and how to avoid them (67%): companies can use publicly available videos from other providers or create their own branded videos using video making software.
- Written internal resources explaining company policy on dealing with an attack (50%): SMEs can use policy management software to consolidate and manage all internal company policies and ensure employees have access to them at any time.
- Talks to explain phishing attacks and how to avoid them (47%): presentation software can help firms plan and present important information on protecting against phishing attacks.
- Formalised programs offering continuous learning on phishing attacks (32%): companies can take advantage of learning management software (LMS) to offer regular sessions and training.
- Informal advice from managers (21%): meeting software can assist managers with sharing essential tips on avoiding phishing with employees.
- Simulated phishing campaigns (19%): tools such as security awareness training software can help firms create phishing simulation scenarios to test employees.
Does phishing awareness training work?
The greater awareness of phishing attacks amongst staff following training seems to have paid off. 88% of senior leaders with phishing awareness programs in their firms said they’ve seen a decline in successful attacks since the training programs were implemented. It was also considered useful for spotting, avoiding and reporting a phishing attack by the vast majority (92%) of employees who received training.
Lastly, we observed 26% of employees who either don’t have phishing awareness training in their company or don’t know about it. Well over half of this group (67%) expressed the desire for their company to implement phishing awareness training.
We can observe from these findings that phishing awareness training can be highly worthwhile for companies and, in many cases, is expected by employees. Training might be a time-consuming process but, as seen with something as damaging as phishing, it is clearly something most SMEs shouldn’t underestimate.
Companies use a mix of security measures to fight phishing
Protection of a small firm from phishing attempts requires more than just training. There are many types of cybersecurity software that can help prevent phishing messages from getting through, whilst protecting staff if they do fall for them.
Did you know?
The National Cyber Security Centre (NCSC) gives four recommendations for companies to up their defences against phishing attacks.
- Reduce information shared about your organisation to the essentials. This will help limit the data that could be used by attackers to impersonate your firm.
- Identify and report phishing attempts immediately.
- Minimise vulnerabilities in your security infrastructure to avoid the effects of undetected phishing attacks (for example, keeping software up to date, installing malware protection, or limiting administrator accounts to only key personnel).
- Respond to successful phishing incidents fast to mitigate the damage (e.g. changing login information and assessing the data accessed).
We therefore looked at a number of best practices to avoid phishing attacks that companies use to protect themselves from harm.
Is a dedicated data security team a common form of protection?
One important question to ask yourself when planning a cybersecurity strategy is how resources will be allocated within your team. This means making a decision between having a dedicated member of staff in your organisation to address these issues or to spread the responsibility amongst multiple employees.
We found that half of our respondents work in companies with either a dedicated data security team or a person dedicated to data security. 42% of respondents said their company designates these responsibilities to the IT team. However, in 5% of cases, there is no one with assigned responsibility for data security in the company.
Whilst it seems unusual not to have a person or team dedicated to security in-house, these are tasks that can also be outsourced, which can be especially common in very small businesses with smaller headcounts. Whether this resource is in-house or external, it is, however, crucial to protect against present and future phishing attacks.
Is keeping security software updated a priority for SMEs?
Sometimes it's all too easy to hit snooze on a security software update, especially if you’re in the middle of an important task. However, not keeping up with updates can be much more costly than it seems.
Not keeping software fully up-to-date opens up security vulnerabilities that cybercriminals can easily exploit. For example, the recent hack of the electoral commission, which led to the breach of up to 40 million voter’s data files, was partly caused by a failure to update security software correctly. Therefore, this is something that companies, especially those handling sensitive data, need to make an essential part of their security process.
Tips for SMEs
As seen in the example above, updating software regularly can be the difference between a successful or unsuccessful phishing attack. Broadly speaking, there are two ways that company leaders might ensure employee compliance:
- Regular notifications: managers can send sporadic reminders to employees to keep systems updated or to make urgent updates when a big upgrade is rolling out.
- Update enforcement: leadership can force the upgrades by blocking tools from use until they are updated to the latest version.
Training on the importance of maintaining cybersecurity systems for staff is also a priority for SMEs so employees understand the part they play in maintaining cybersecurity.
Are regular cybersecurity software updates something that companies across the UK factor in for security? It seems that this is the case for most of our sample of senior leaders.
We found that 68% of the senior managers in our survey saw this as one of the most important measures to protect company security, ranking higher than password policies, and other types of software updates.
How are companies protecting systems with passwords?
Despite big tech companies such as Google and Apple considering the replacement of passwords with passkeys, passwords are still the go-to standard for many small companies to protect their systems from cybersecurity breaches. However, a password needs to manage a delicate balance between being easy to use whilst being complex enough not to be easily guessed.
Did you know?
A passkey is a password alternative that uses identifying information such as PIN numbers, face scans or fingerprints to unlock devices or software. These are favoured over passwords by big technology companies as they are much harder to phish and offer faster, secure access to users.
From our group of senior managers, 50% say their company has implemented strong password policies and regular password updates in their companies. This was also reflected when we asked the entire sample about their password habits.
Amongst the whole sample of employees and senior managers, 49% emphasised that they changed their passwords as a matter of company policy. Additionally, amongst employees, just over a third (34%) said that they were forced by software such as self-service password reset (SSPR) tools to make the change to their credentials.
89% of all respondents change their work-related passwords multiple times a year with nearly a third (28%) changing passwords at least once a month, seemingly indicating that company policies have an effect.
Tips for SMEs
Changing passwords frequently can seem like an easy way to stay ahead of phishing attacks. However, it is not strictly necessary unless there is a suspicion or evidence the credentials have been compromised. Furthermore, if companies use a password manager to create strong passwords, alongside two-factor authentication (2FA), regular password changes aren’t necessarily needed.
Cyber security expert and Director of Riverside Court Consulting Bryan Altimas explains:
“If you are using a password manager and two factor authorisation, I argue you do not need to change your password. Use the password manager to generate unique complex passwords or password phrases for each account and if you want to change the password use the password manager to change to generate a new password or password phrase at 6-month intervals or annually."
Most senior managers expect increased spending on anti-phishing protection
As seen in the data, phishing attacks are a big concern amongst senior managers, matched with a perception that phishing attacks are on the rise. Whilst we’ve seen evidence of a commitment to measures such as anti-phishing training amongst UK firms, does anti-phishing software help offer suitable protection as well?
How does anti-phishing software work?
Anti-phishing software protects companies by spotting and blocking phishing messages before they reach employee inboxes. They utilise similar features to email security systems and provide anti-spam support by scanning email content to check for signs of impersonation and unsafe links, as well as using essential email security protocols such as DomainKeys Identified Mail (DKIM).
In total, 75% of senior managers in our sample have anti-phishing software in place at their companies. Most of this group also report an effective level of protection from these tools, with 98% saying the software works at least from time to time and nearly two-thirds (62%) reporting it regularly prevents phishing attacks.
Given these findings and the perceived rise in phishing attacks reported by 97% of all senior managers in the survey, it was not surprising to see that many of those already using anti-phishing software expected to increase their spending on it in the coming years.
Additionally, 69% of the senior managers surveyed who work for a company that doesn’t already use anti-phishing software said their company is planning to implement it in the future.
Anti-phishing software appears to be an effective first defence measure to help reduce the amount of spam and phishing emails reaching employee inboxes. This can assist businesses in tackling the root cause of phishing attacks.
Phishing protection is paramount
As we’ve seen in this study, phishing attacks are a real threat to companies of all sizes and should be taken seriously by firms. Fortunately, there are many ways that SMEs can effectively respond to these challenges to avoid phishing attacks and keep their data secure from cybercriminals.
In this article, we identified the following essential learnings:
- Most of our sample use phishing awareness training, which is having a positive impact on company protection.
- SMEs rely on dedicated security support, regular software updates, and password policies to protect their systems.
- Anti-phishing software has a high level of success in protecting against attacks and many SMEs not already using it are planning to implement it.
Proactivity is far more effective than reactivity when it comes to cybersecurity. As these findings demonstrate it is important to use a multifaceted approach to help protect staff and company data from phishing cyber attacks and to do as much as possible to avoid an attack succeeding before it happens. A phishing attempt that succeeds requires a lot more effort to fix than taking the right precautions in advance.
The data for GetApp’s 2023 Phishing Attacks Survey was collected between July-August 2023 and comprises answers from 564 respondents comprising 349 employees and 215 senior managers, executive managers, and owners. We selected our survey sample based on the following criteria:
- UK resident
- Aged 18-65 years old
- Employed either full-time or part-time with a company with at least two employees
- Using a computer for daily work tasks at least sometimes
- Has received one or more phishing attacks at work
- Understands the meaning of phishing attacks after being shown the following definition: ‘Phishing is a common type of cyber attack that targets individuals through email, text messages, phone calls, and other forms of communication usually by impersonating senders known to the recipient (e.g., package delivery, prizes, public entities, etc.). A phishing attack aims to trick the recipient into falling for the attacker’s desired action, such as revealing financial information, system login credentials, or other sensitive information. Phishing attacks are very often perpetrated against companies through their employees.’