Critical Infrastructure Workers Better At Spotting Phishing

  /     /     /  
Publicated : 23/11/2024   Category : security


Critical Infrastructure Workers Better At Spotting Phishing


Critical-infrastructure employees are comparatively more engaged in organizational security — and compliance training — than those in other sectors.



Phishing simulation
training for employees appears to work better at critical infrastructure organizations than it does across other sectors, with 66% of those employees correctly reporting at least one real malicious email attack within a year of training, new research has found.
The
findings of the report
— published this week by Hoxhunt — suggest that critical infrastructure employees are comparatively more engaged in organizational security than those in other corporate workplaces. Indeed, the report also revealed that threat-detection behavior among critical infrastructure employees is 20% higher than other industry averages.
While these findings might seem counterintuitive, there are a couple of key reasons that critical-infrastructure employees would be more alert to potential threats to their companys IT and Internet of Things (IoT) environments: The inherently critical nature of their work and the policies that govern it, Mika Aalto, co-founder and CEO at
Hoxhunt
, tells Dark Reading.
We believe critical infrastructure employees are more likely to report phishing emails due to the fact that [these organizations] put great emphasis on maintaining compliance to very strict regulatory issues, he says. This, and the fact that employees of critical infrastructure organizations exhibit unusually active and high-performing threat reporting behavior.
Indeed, the
critical-infrastructure sector
has some unique incentives due to its focus on regulatory policy to spur its employees to participate in security training and thus may be making a stronger strategic investment in such programs that other organizations arent, notes one security expert.
For one, the energy sector in particular is one of the top targets for social engineering and phishing attacks, since disruptions can have massive downstream economic effects, observes Krishna Vishnubhotla, vice president of product strategy at mobile security solution provider Zimperium.
Secondly, the sectors compliance requirements may be more of an incentive to train employees, whereas other sectors might not be as incentivized to invest in training without regulatory pressure, he says in an email to Dark Reading.
Hoxhunt researchers analyzed more than 15 million phishing simulations and real email attacks, reported in 2022 by 1.6 million people participating in security behavior change programs.
Phishing simulation programs and related employee security training, which security experts recommend as part of an organizations overall cybersecurity defense posture, are aimed at helping employees identify and then proactively report malicious campaigns or threats to the corporate IT environment.
Numerous reports have found that
human behavior
is still a
key driver
of security gaffes and data breaches across all organizations, demonstrating the value of behavior-focused employee training programs, notes Timothy Morris, chief security advisor at
Tanium
, a provider of converged endpoint management.
It still holds true that humans are the weakest link in cybersecurity, he says in an email to Dark Reading. Millions are spent on security tools. Yet, one clicker can circumvent it all.
This was painfully true in the
May 2021 Colonial Pipeline attack
, when the use of
a single password
— obtained through an unspecified data leak — allowed for a ransomware attack that severely disrupted fuel distribution across the US for weeks.
Though its unclear if phishing was the culprit in the leak, the attack demonstrated how obtaining one employees legitimate credentials can have catastrophic consequences in the critical-infrastructure sector.
The good news is that critical infrastructure is showing a high resilience ratio — the rate of success versus failure — in spotting phishing attacks during simulations compared to the global industry average, according to the report. The sector has a 10.9% resiliency rate, 51% higher than the global average of 7.2%, a figure that Aalto called the most surprising data point of the report.
Moreover, employees in the sector seem to catch on quickly through trainings that directly engage them in spotting phishing attacks, the research found. Though they start off with higher rates of missing an attack in the simulations, a year after training they are 65% less likely to participate in a simulated attack.
One type of
phishing attack
that appears to fool employees across all sectors but especially within critical infrastructure is one that uses
spoofed
internal organizational communications to ensnare victims. The Hoxhunt findings reported an 11.4% higher chance of a critical-infrastructure organization being compromised by this type of attack compared to global averages.
Moreover, employees in the communications, marketing, and business development departments showed the highest tendencies to fall for phishing campaigns, which was in line with global averages, the researchers found.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Critical Infrastructure Workers Better At Spotting Phishing