At this point, everybody knows phishing is a threat.
But then, it’s difficult to deny. As Verizon points out, over 90 percent of data breaches include a phishing or social engineering component, including many of the high profile breaches we all read about each week.
In fact, from a security perspective, phishing is the single greatest threat to most organizations, whether they’re tiny family owned businesses or huge multinational conglomerates.
So what are most organizations doing to defend against phishing?
Naturally, they’re… doing almost nothing. Best case, they might be holding an annual awareness session in some dark basement room, where a bored intern tries to explain why everybody should stop clicking on dodgy links and attachments.
Now yes, most organizations have implemented some sensible technical controls, such as advanced spam filters and blacklists. They might even go a stage further, by implementing content filtering technologies, and email authentication protocols such as DMARC, SPF, or DKIM.
But the truth is no matter how good your technical controls are, some phishing emails will always reach your users’ inboxes. And when that happens, substandard awareness training won’t be enough to prepare them.