Skip to content Skip to footer

Loading Results

How well does your industry defend against elementary phishing campaigns?

Our study will provide the answer

Historical challenges with determining a defensible click rate

Organizations that incorporate phishing exercises into their annual assessment of cybersecurity defenses are often faced with the question of whether or not their click rate is palatable or below the industry average. Typically, executives and security practitioners are merely searching for articles, grabbing excerpts from publications or asking a trusted peer organization.

While this is a starting point, they often overlook these fundamental questions: “What level of sophistication did the attacker leverage? And were the results across the sample of organizations part of a consistent methodology?” 

Without this critical information, your confidence level or utter disappointment in the results could be completely unwarranted. That said, do you still feel your organization’s click rate is defensible?

Download our findings

The simulation

Between March and April of 2019, PwC began its first wave of simulated phishing attacks on mid- to large-size FS firms. Fifty-five percent of the total population were Fortune 500 companies, while the others were large FinTech firms and settlements / exchanges.

It's imperative to build a layered defense

There’s no single cost effective or reliable solution that can replace the design of multiple controls intended to cover each function denoted in the NIST Cybersecurity Framework (CSF)—Identify, Protect, Detection, Respond, Recover. 

It is no wonder that the old adage of applying one-size-fits-all annual security awareness training cannot mitigate the risk. Instead, apply a multifaceted defense strategy, right-sized to your organization’s risk, considering other tangible factors that affect the industry (e.g., regulatory compliance).



Contact us

Kevin Simmonds

Principal, Cybersecurity & Privacy, PwC US

Chris Morris

Principal, Cybersecurity and Privacy, PwC US

Chris Duffy

Director, Cybersecurity & Privacy, PwC US

Follow us