The majority of employees receive no social engineering awareness training, leaving them vulnerable to phishing and other types of social engineering tactics. Knowledgeable employees, research shows, are the first line of defense for a modern company.
A GetApp survey showed that most companies pay no attention to how their employees navigate the maze of social engineering. In fact, the numbers reveal once more, the reasons attackers usually first target people, then the infrastructure. The only sensible solution for companies is to train their employees to recognize the dangers.
Hackers' willingness to go after employees is proportional only to companies' lack of preparedness. Almost 75% of companies never equip people with minimal training, which means that organizations put themselves at risk. Social engineering can target specific people with spear-fishing techniques or business email compromise (BEC) attacks, which is much easier to achieve with a cyber-unaware taskforce.
The problem is compounded by the fact that 43% of employees don’t receive data security training regularly, and 8% have never received formal training any kind. Proofpoint's 2019 Human Factor report shows that attackers exploit human flaws in 99% of attacks by mimicking business routines.
"Most people are trusting and willing to help others: It's two of the primary human characteristics that have allowed us to build a successful society. But some see generous human nature as something to cynically exploit for access to information and profit," reveals GetApp’s report. "Several elements of human nature are targeted by social engineers, including an inclination to help others, avoidance of conflict and the willingness to follow direction."
Companies can use employee security training as a shield, but that's not enough. A critical step is the internal security audit, which can root out hidden issues. For example, a poll conducted across the United States, Australia, France, Germany and the United Kingdom, found that 59% of people use the same password everywhere. Such a vulnerability would cause havoc in an organization that doesn't pay attention to what employees use on their systems.
Phishing and other social engineering technics are always used as attack vectors against companies, but that's possible only when people don't know how to safeguard against them. Training employees to recognize a phishing attempt is the same as educating kids not to talk to strangers, making prevention a solid first step towards strengthening a company's cybersecurity posture.