Phishing is a tried-and-true attack vector. These attacks account for 15% of all data breaches, according to IBM. Security leaders are well aware of the risks, and it is standard for enterprises to put their employees through from some kind of phishing training. But that training doesn’t seem to be making users, and by extension their employers, any less vulnerable.
“Even though we see higher levels of awareness of the risks and danger, we still see increasing numbers of successful attacks,” says Naama Ilany-Tzur, assistant teaching professor, information systems at Carnegie Mellon University.
Simply looking at the volume of phishing attacks will tell you that something else has to be done. Plus, there is mounting research that shows just how ineffective phishing training is. Where does that leave security leaders who are often the ones in charge of leading these training programs? They need to evaluate their enterprises’ current phishing training strategies, consider the potential gaps and explore ways to change their approach.
