An end to pride and prejudice: everyone is susceptible to phishing
Getting hacked only happens to the ill-advised or the low-skilled? Cybersecurity specialist Arnout Van de Meulebroucke speaks from experience when he says: “It will happen to you.”
“It will never happen to me.” “I’m familiar with computers, I’ll never fall for it.” “Phishing? Only dangerous for people who lack sufficient education or knowledge.” But the thing is: everyone with an internet connection lacks that basic digital security awareness.
It boils down to both arrogance and pride: people love to think they are smarter than others, that they have a special kind of insight into certain matters that others lack. Especially when comparing themselves to people with lower degrees or working jobs which are valued less in the social hierarchy.
Everyone is vulnerable
At Phished, we built a platform which provides anti-phishing training. By trying to phish over 55,000 users per day, we experience the dangers of pride and prejudice on a daily basis. No matter which sector you work in, no matter which country you live in, whether you are an administrative executive or your company’s CEO,…: you are vulnerable to phishing.
When we start our simulations, roughly 20% of all receivers will be deceived into clicking our links and/or giving up their credentials – and that’s only when we use standard template simulations. When we personalise our efforts, that percentage soars. Our conclusion is always the same: there is no discernible difference between the profiles that click. HR, Accounting, Marketing,… When it concerns phishing, all men (and women) are truly created equal.
There is one difference: IT employees are often more resentful about being phished than others. They see it as an attack on their expertise, they feel fooled and ridiculed.
Attitudes are slowly changing, even though it happens too gradually. Some IT companies are setting excellent examples, yet others simply don’t seem to get it. A recent study shows that only one third of the UK workforce received any sort of formal cybersecurity training over the past twelve months.
It is pride that makes companies even more vulnerable to phishing, ransomware and other kinds of digital threats. While it shouldn’t have to be: more often than not, companies that were hacked try to cover up their mistakes, instead of communicating their learnings. They prefer to avoid humiliation instead of contributing new knowledge to the community, possibly preventing similar debacles at other organisations.
It is past time we do away with our false sense of security, our arrogance and our pride. If we realise and recognise that everyone is a target, that anyone can fall victim to criminal campaigns, we can finally start focussing on counteracting malicious tactics.
Proof points can be found all over the world: French IT outsourcing specialist Sopra Steria, which boasts a cybersecurity division, fell victim to the Ryuk ransomware in October; Taiwanese computer manufacturer Compal succumbed to the DoppelPaymer ransomware just three weeks ago. These are only two recent examples of assaulted IT companies. Both communicated about their situations and disclosed valuable learnings.
It shows that attitudes are slowly changing, even though it happens too gradually. Some IT companies are setting excellent examples, yet others simply don’t seem to get it. A recent study shows that only one third of the UK workforce received any sort of formal cybersecurity training over the past twelve months.
Experience teaches us that, much like the raging COVID-19 pandemic, digital threats are impossible to immunise against. The effects of an extensive cybersecurity training will start to wane after the first month. After about three months, they will have forgotten most about it. This means that even one training per year is nowhere near sufficient.
There is no such thing as group immunity in cybersecurity, an ever-lasting anti-phishing training effect is wishful dreaming. In order for digital education to be effective, it has to be repeated on a monthly basis; people need to experience the threats if we are to eradicate our false sense of security and start making a difference.
People are and always will be the weakest link in any security ecosystem and it is high time we treated them as the risk they pose. Because it will happen to you. You will let us in and you will learn from it. Phishing can happen to anybody, which is why everybody needs to be trained. Consistently and repeatedly.
Pride and prejudice are costing our companies, our economy and our people. It is time for a change of heart.
Arnout Van de Meulebroucke
CEO Phished, expert in phishing & cybersecurity