• by Ray Schultz , June 5, 2018

Here’s a tip for CEOs whose firms have been phished: Don’t automatically throw your subordinates under the bus. The fault may be yours because you haven’t trained them, judging by a new study from Barracuda.

Most companies are training individual contributors — i.e., grunts. Of the firms represented, 77% have training programs in place. But an alarming 23% do not, according to a Barracuda blog post. 

And one wonders about the efficacy of the training. Only 41% rely on outside organizations, and the remainder conduct in-house education.

Maybe that’s why security professionals worry so much about the troops. 

According to the report, 84% say the biggest security concern is poor employee behavior — i.e., carelessness, use of personal emails and disregarding policies.

Only 16% cite inadequate tools that are just not up to fighting email threats, false positives and team distractions. 

Junior people are deemed the most vulnerable (by 24%), followed by sales (17%), customer service and support (15%) and operations (14%).

Marketing people can relax — only 9% say they are highly open to attack. 

This news comes as Barracuda announces an extension of its PhishLine product suite. It is now offering a streamlined edition for companies with 1,000 employees or less. 

There’s no question that email phishing attacks are dangerous. The respondents worry about these fiscal consequences:

Stolen information, the reputational and remediation costs of stolen data — 41%

Ransomware, the cost of a direct payment to regain access to your own systems and information — 33% 

Business email compromise attacks (BEC), getting tricked into sharing confidential information or sending money to a bad actor — 27%can be blamed. The respondents say they are most worried about individual contributors (46%), executives (39%) and team managers (15%).

Executives are most likely to be targeted (70%), largely because they have access to sensitive information and systems (70%).

Individual contributors are deemed less vulnerable, but they are widely considered the most careless (55% say so, versus 36% for executives). And a whopping 62% believe that these wage slaves are unaware of the consequences. Finally, 47% feel they simply don’t care (versus 19% for executives).

Of all departments, finance units are seen as the most exposed.

• What kind of training do people want to see in place? 
• Customized examples that are relevant to department and role — 54%
• Unscheduled simulations of typical attacks — 51%
• Regularly scheduled modules that can be done at the employee’s convenience — 47%
• Rewards for good behavior — 28%

Barracuda argues that “being able to scale training, move quickly, and be offered at the convenience of each employee could make all the difference in an effective program.

Barracuda worked with Dimensional Research to survey over 630 people with responsibly for email security at their firms.