Risk
11/4/2013
03:27 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

ThreatSim's State Of The Phish Finds Most Organizations Do Not Recognize Phishing As A True Threat

The key finding: most organizations (57%) rate phishing as a 'minimal' impact threat

HERNDON, VA--(Marketwired - Nov 4, 2013) - ThreatSim, the leading innovator of simulated phishing training and awareness solutions, today announced key findings for its 2013 State of the Phish awareness index, gauging phishing training, awareness and readiness among 300 IT executives, administrators and professionals in organizations throughout the United States.

The key finding: most organizations (57%) rate phishing as a 'minimal' impact threat (resulting in investigation and account resets), while one in four respondents (27%) reported phishing attacks that led to a 'material' breach within the last year. The survey defined 'material' as some form of malware infection, unauthorized access and lost/stolen data from a breach tied to phishing.

"While material impacts from phishing attacks can cause more damage and headlines, our customers report the cumulative effects from 'minimal' impact events are daily challenges," said ThreatSim CEO Jeff LoSapio. "There is a 'nuisance factor' in which investigations are launched, accounts reset, and staff are unable to work as their laptop is cleaned. The opportunity cost is huge especially for medium size companies where up to 50% of time in a week can be spent handling these 'minimal' impact fire drills. Reducing end user susceptibility to phishing attacks has a direct impact on reducing IT cost and increasing the security team's productivity."

The weekly headlines show that phishing continues to be one of the most active, growing and consistent threat vectors, and State of the Phish findings show most organizations are still not proactive or taking an effective stance to train end users on how not to get phished. The majority (69%) are using ineffective techniques including email notifications, webinars, and in person training.

While sixty percent (60%) of all respondents reported phishing attacks targeting their organization were increasing each year, only 10% are using phishing simulation to train their users, a technique that has proven to reduce users' click rates by up to 80%.

Other key findings from the index include:

· 30% of all respondents plan to increase budget for security training and awareness in 2014.

· 60% of all respondents see the rate of phishing increasing each year.

· 70% of all respondents reported not measuring their organization's exposure to phishing.

· Out-of-date 3rd party software on desktops should be viewed as another critical threat vector. The index found 44% of all respondents are not formally managing 3rd party software, representing a weakness in organizational ability to prevent damage associated with phishing attacks.

"Phishing simulation is proven to be the most effective means to educate end users and reduce susceptibility to phishing attacks," LoSapio said. "While budgets are increasing for thirty percent of all respondents, sadly fewer than ten percent are using this successful technique."

State of the Phish surveys were completed double blind and transmitted electronically via a third-party survey service between Sept. 26 and Oct. 4, 2013. To download the complete key findings and methodology report, including a special report featuring ThreatSim consolidated customer trending data during 2013, visit http://threatsim.com/resources/2013-state-of-the-phish/.

ThreatSim customers, including a top 10 mutual fund firm, a top three U.S. utility and one of the largest government defense contractors, have achieved up to an 80% reduction in the rate of employees who click on phishing e-mail messages. Available in 11 languages and country themes, ThreatSim simulations are extremely realistic, coupled with effective training content that equips employees with the skills to identify and avoid phishing attacks. ThreatSim is a secure hosted Software-as-a-Service that requires no installation or configuration.

About ThreatSim

ThreatSim is the leading innovator of simulated phishing defense training and awareness solutions. Headquartered in Herndon, Va., outside Washington, D.C., ThreatSim delivers highly-scalable, feature-rich, SaaS-based phishing and advanced threat training campaigns that measurably lower organizational risk exposure. ThreatSim customers include large commercial enterprises, SMBs, government organizations and academic institutions. Request a demo, visit www.threatsim.com and follow @ThreatSim.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

CVE-2014-2356
Published: 2014-07-30
Innominate mGuard before 7.6.4 and 8.x before 8.0.3 does not require authentication for snapshot downloads, which allows remote attackers to obtain sensitive information via a crafted HTTPS request.

Best of the Web
Dark Reading Radio