Phishing simulation training for employees appears to work better at critical infrastructure organizations than it does across other sectors, with 66% of those employees correctly reporting at least one real malicious email attack within a year of training, new research has found.
The findings of the report — published this week by Hoxhunt — suggest that critical infrastructure employees are comparatively more engaged in organizational security than those in other corporate workplaces. Indeed, the report also revealed that threat-detection behavior among critical infrastructure employees is 20% higher than other industry averages.
While these findings might seem counterintuitive, there are a couple of key reasons that critical-infrastructure employees would be more alert to potential threats to their company's IT and Internet of Things (IoT) environments: The inherently critical nature of their work and the policies that govern it, Mika Aalto, co-founder and CEO at Hoxhunt, tells Dark Reading.
"We believe critical infrastructure employees are more likely to report phishing emails due to the fact that [these organizations] put great emphasis on maintaining compliance to very strict regulatory issues," he says. "This, and the fact that employees of critical infrastructure organizations exhibit unusually active and high-performing threat reporting behavior."
Indeed, the critical-infrastructure sector has some unique incentives due to its focus on regulatory policy to spur its employees to participate in security training and thus may be making a stronger strategic investment in such programs that other organizations aren't, notes one security expert.
For one, the energy sector in particular is one of the top targets for social engineering and phishing attacks, since disruptions can have massive downstream economic effects, observes Krishna Vishnubhotla, vice president of product strategy at mobile security solution provider Zimperium.
Secondly, the sector's compliance requirements may be more of an incentive to train employees, whereas "other sectors might not be as incentivized to invest in training without regulatory pressure," he says in an email to Dark Reading.
Tracking the Data
Hoxhunt researchers analyzed more than 15 million phishing simulations and real email attacks, reported in 2022 by 1.6 million people participating in security behavior change programs.
Phishing simulation programs and related employee security training, which security experts recommend as part of an organization's overall cybersecurity defense posture, are aimed at helping employees identify and then proactively report malicious campaigns or threats to the corporate IT environment.
Numerous reports have found that human behavior is still a key driver of security gaffes and data breaches across all organizations, demonstrating the value of behavior-focused employee training programs, notes Timothy Morris, chief security advisor at Tanium, a provider of converged endpoint management.
"It still holds true that humans are the weakest link in cybersecurity," he says in an email to Dark Reading. "Millions are spent on security tools. Yet, one clicker can circumvent it all."
This was painfully true in the May 2021 Colonial Pipeline attack, when the use of a single password — obtained through an unspecified data leak — allowed for a ransomware attack that severely disrupted fuel distribution across the US for weeks.
Though it's unclear if phishing was the culprit in the leak, the attack demonstrated how obtaining one employee's legitimate credentials can have catastrophic consequences in the critical-infrastructure sector.
The good news is that critical infrastructure is showing a high resilience ratio — the rate of success versus failure — in spotting phishing attacks during simulations compared to the global industry average, according to the report. The sector has a 10.9% resiliency rate, 51% higher than the global average of 7.2%, a figure that Aalto called the most surprising data point of the report.
Moreover, employees in the sector seem to catch on quickly through trainings that directly engage them in spotting phishing attacks, the research found. Though they start off with higher rates of missing an attack in the simulations, a year after training they are 65% less likely to participate in a simulated attack.
One type of phishing attack that appears to fool employees across all sectors but especially within critical infrastructure is one that uses spoofed internal organizational communications to ensnare victims. The Hoxhunt findings reported an 11.4% higher chance of a critical-infrastructure organization being compromised by this type of attack compared to global averages.
Moreover, employees in the communications, marketing, and business development departments showed the highest tendencies to fall for phishing campaigns, which was in line with global averages, the researchers found.