"Even when people are explicitly told to be wary of malicious email messages, they remain vulnerable to making risky cyber decisions."
55% of employees in financial services do not receive regular email security training from their organisation, despite a dramatic rise in the number of phishing incidents reported by financial services firms in the past year.
The research by Tessian found that alongside a need for training to be delivered on a more regular basis, the training needs to be more effective to better resonate with employees.
Interestingly, the research by Tessian found that financial services was actually one of the industries most likely to provide employees with email security training on a regular basis.
However, employees in this sector were also the most likely to click on a phishing email at work. Nearly one in three (29%) financial service workers admitted to falling for a phishing scam - the highest percentage in the research.
Dr Helen Jones, cyber psychologist at the University of Central Lancashire, said: “We’ve seen, in our own research, that even when people are explicitly told to be wary of malicious email messages, they remain vulnerable to making risky cyber decisions. The problem is that phishing attacks are constantly shifting. So while email security training may provide an immediate short-term improvement in people’s ability to spot a malicious email, individuals are less able to adapt this knowledge in line with ever-changing and developing threats.”
Tim Sadler, CEO at Tessian, added: “Training needs to fundamentally change if firms want to stop people falling for the types of advanced spear phishing attacks we see today. Tick-box training exercises are not enough. As phishing attacks continually evolve, training needs to be delivered in real-time, as situations arise, and it needs to provide context. Technology can help too. Solutions that automatically detect suspicious emails can alert individuals of a potential threat and advise them on what action to take next.”
