Small and medium-sized enterprises are primarily facing phishing attacks, according to a recent research
Despite growing phishing, ransomware and other types of malware threats, many small businesses do not have a cybersecurity employee training program, according to a report by experts in ethical hacking.
Thanks to a survey of nearly 500 small and medium-sized enterprises (SMEs) in the United States, researchers found that 66% of companies with fewer than 19 workers do not have any type of cybersecurity training for their employees. For companies with between 20 and 99 employees, the percentage is 29%, and for those with between 100 and 500 employees was 13%.
The training programs that companies are not applying present a high rate of effectiveness. An additional report mentions that when employees are shown phishing simulations in combination with continuous training, their click rate on these phishing links decreased by more than half, from 26% to 12%.
In general, phishing is considered the biggest threat against SMEs today, more than half of the surveyed ethical hacking specialists consider it this way. Yet another 24% of respondents said they did not consider it their greatest threat, according to the report. On the other hand, employees of companies with less than 19 workers were the least likely to know any kind of cyber threat.
As for phishing emails, there are very clear trends about their characteristics, explained in the report. The email titles most commonly associated with phishing campaigns are:
- Quick review/review
- Bank of <EXAMPLE>; New notification
- Donation for you
- For your information:
- Required action: Pay your account balance
- Unauthorized login attempt
- Notice of payment to <EMPLOYEE’S NAME>
- Important: (1) New Message from <BANK’S NAME>
- AMAZON: Your order No # 812-4623 could arrive
- Bank Transfer
- Attend urgently
The main threat to companies with between 20 and 99 employees is the ingenuity of their workers, with phishing reaching 22% of satisfactory attempts, so specialists in ethical hacking from the International Institute of Cyber Security recommend that SMEs focus on training their employees to manage the email they receive safely.
However, many SMEs do not have the resources to handle security at the expert level, the report found. About 41% of respondents said they had no budget for IT security, and only 12% said they had dedicated internal cybersecurity personnel. A smaller portion of respondents said they had appealed to third parties for periodic cybersecurity reviews.