IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Report: IT staff fail phishing tests more often than non-technical workers

Results show DevOps workers consistently rank among the most likely to fail a cyber security exercise

A new report of more than 80,000 professionals in different business sectors has revealed technical staff are just as, if not more likely, to fail an internal phishing exercise at work.

After issuing pseudo phishing emails to employees in businesses in the finance, retail, and manufacturing sectors, F-Secure revealed how the most technically competent workers were in some cases even among the worst respondents to phishing emails in terms of opening the email, failing to report the email as a phish, and clicking through on links within the email body.

Related Resource

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Man at his computer next to title card - whitepaper from ServiceNowFree download

Analysis of the results from respondents in two business sectors, finance and retail, showed DevOps teams were consistently among the worst-scoring workers in a company. DevOps workers were the second-most susceptible group to open phishing emails in the finance industry (26% open rate) and the third-most susceptible (30% open rate) in the retail sector too.

Dedicated IT workers also fared poorly in comparison to their colleagues in terms of open rate too. In finance, IT workers were the fourth-most susceptible with an open rate of 24%, narrowly less than DevOps, and were also in the bottom 50 percentile in retail, with an open rate of 21%.

"The privileged access that technical personnel have to an organisation’s infrastructure can lead to them being actively targeted by adversaries, so advanced or even average susceptibility to phishing is a concern,” said Matthew Connor, service delivery manager at F-Secure.

"Post-study surveys found that these personnel were more aware of previous phishing attempts than others, so we know this is a real threat. The fact that they click as often or more often than others, even with their level of awareness, highlights a significant challenge in the fight against phishing.”

Sample phishing email seemingly from the CFO

F-Secure

When it came to reporting suspicious emails, IT workers were just third-best out of nine departments in the finance industry with DevOps among the worst at sixth. These figures did not translate to retail, though, as IT staff scored as low as third-worst in the entire organisation with 14 departments, including DevOps, showing a higher reporting rate of suspicious emails.

F-Secure noted that there was a distinct difference in the companies whose email providers offered a simple, easy-to-find 'report phish' button within the email client. those with access to such a button consistently scored better in reporting suspicious emails, suggesting organisations need to make the reporting process easier for employees.

"It’s all about making the reporting process as quick and easy as possible," said Chris Maley, head of delivery at F-Secure Phishd. "The quicker and easier it is for an end user to report a suspicious email, the more likely they are to actually do it."

Sample phishing email seemingly from the HR department

F-Secure

The researchers used three random phishing email templates: one purporting to be from the company CFO, one from a fake file-sharing service, and a fake email from the human resources department. These were distributed randomly throughout the participants and there was no discernable difference in success or failure depending on the type of email received.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022