Risk
11/4/2013
03:27 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

ThreatSim's State Of The Phish Finds Most Organizations Do Not Recognize Phishing As A True Threat

The key finding: most organizations (57%) rate phishing as a 'minimal' impact threat

HERNDON, VA--(Marketwired - Nov 4, 2013) - ThreatSim, the leading innovator of simulated phishing training and awareness solutions, today announced key findings for its 2013 State of the Phish awareness index, gauging phishing training, awareness and readiness among 300 IT executives, administrators and professionals in organizations throughout the United States.

The key finding: most organizations (57%) rate phishing as a 'minimal' impact threat (resulting in investigation and account resets), while one in four respondents (27%) reported phishing attacks that led to a 'material' breach within the last year. The survey defined 'material' as some form of malware infection, unauthorized access and lost/stolen data from a breach tied to phishing.

"While material impacts from phishing attacks can cause more damage and headlines, our customers report the cumulative effects from 'minimal' impact events are daily challenges," said ThreatSim CEO Jeff LoSapio. "There is a 'nuisance factor' in which investigations are launched, accounts reset, and staff are unable to work as their laptop is cleaned. The opportunity cost is huge especially for medium size companies where up to 50% of time in a week can be spent handling these 'minimal' impact fire drills. Reducing end user susceptibility to phishing attacks has a direct impact on reducing IT cost and increasing the security team's productivity."

The weekly headlines show that phishing continues to be one of the most active, growing and consistent threat vectors, and State of the Phish findings show most organizations are still not proactive or taking an effective stance to train end users on how not to get phished. The majority (69%) are using ineffective techniques including email notifications, webinars, and in person training.

While sixty percent (60%) of all respondents reported phishing attacks targeting their organization were increasing each year, only 10% are using phishing simulation to train their users, a technique that has proven to reduce users' click rates by up to 80%.

Other key findings from the index include:

· 30% of all respondents plan to increase budget for security training and awareness in 2014.

· 60% of all respondents see the rate of phishing increasing each year.

· 70% of all respondents reported not measuring their organization's exposure to phishing.

· Out-of-date 3rd party software on desktops should be viewed as another critical threat vector. The index found 44% of all respondents are not formally managing 3rd party software, representing a weakness in organizational ability to prevent damage associated with phishing attacks.

"Phishing simulation is proven to be the most effective means to educate end users and reduce susceptibility to phishing attacks," LoSapio said. "While budgets are increasing for thirty percent of all respondents, sadly fewer than ten percent are using this successful technique."

State of the Phish surveys were completed double blind and transmitted electronically via a third-party survey service between Sept. 26 and Oct. 4, 2013. To download the complete key findings and methodology report, including a special report featuring ThreatSim consolidated customer trending data during 2013, visit http://threatsim.com/resources/2013-state-of-the-phish/.

ThreatSim customers, including a top 10 mutual fund firm, a top three U.S. utility and one of the largest government defense contractors, have achieved up to an 80% reduction in the rate of employees who click on phishing e-mail messages. Available in 11 languages and country themes, ThreatSim simulations are extremely realistic, coupled with effective training content that equips employees with the skills to identify and avoid phishing attacks. ThreatSim is a secure hosted Software-as-a-Service that requires no installation or configuration.

About ThreatSim

ThreatSim is the leading innovator of simulated phishing defense training and awareness solutions. Headquartered in Herndon, Va., outside Washington, D.C., ThreatSim delivers highly-scalable, feature-rich, SaaS-based phishing and advanced threat training campaigns that measurably lower organizational risk exposure. ThreatSim customers include large commercial enterprises, SMBs, government organizations and academic institutions. Request a demo, visit www.threatsim.com and follow @ThreatSim.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.