Organizations that incorporate phishing exercises into their annual assessment of cybersecurity defenses are often faced with the question of whether or not their click rate is palatable or below the industry average. Typically, executives and security practitioners are merely searching for articles, grabbing excerpts from publications or asking a trusted peer organization.
While this is a starting point, they often overlook these fundamental questions: “What level of sophistication did the attacker leverage? And were the results across the sample of organizations part of a consistent methodology?”
Without this critical information, your confidence level or utter disappointment in the results could be completely unwarranted. That said, do you still feel your organization’s click rate is defensible?
Between March and April of 2019, PwC began its first wave of simulated phishing attacks on mid- to large-size FS firms. Fifty-five percent of the total population were Fortune 500 companies, while the others were large FinTech firms and settlements / exchanges.
There’s no single cost effective or reliable solution that can replace the design of multiple controls intended to cover each function denoted in the NIST Cybersecurity Framework (CSF)—Identify, Protect, Detection, Respond, Recover.
It is no wonder that the old adage of applying one-size-fits-all annual security awareness training cannot mitigate the risk. Instead, apply a multifaceted defense strategy, right-sized to your organization’s risk, considering other tangible factors that affect the industry (e.g., regulatory compliance).
Principal, Cybersecurity & Privacy, PwC US
Principal, Cybersecurity and Privacy, PwC US
Director, Cybersecurity & Privacy, PwC US