Mid-sized organisations are the most vulnerable to phishing attacks

Mid-sized organisations are at the ‘sweet spot’ of cyber security, according to Coalfire’s Penetration Risk Report. Unfortunately, that sweet spot applies to both organisations and cyber criminals in different contexts. 

After studying the most common vulnerabilities in small, medium and large organisations, Coalfire concluded that mid-sized organisations are generally the most secure. This is because they have greater resources than smaller organisations, but are small enough to maintain a tight-knit cyber security culture. 

However, this strength turns to weakness when it comes to phishing. Crooks usually send messages in bulk, meaning the more employees an organisation has, the greater the chances of someone opening a malicious link or attachment. Mid-sized organisations fall into the gap where they have enough employees to create a significant risk of a breach but lack the defences to flag up suspicious messages. 

‘Flip the thinking’ 

Andy Baratt, Coalfire’s UK managing director, said the report “flip[s] the thinking that large enterprises are the most secure, even with significant cybersecurity budgets and investments in staffing and other resources. 

“However, this doesn’t apply to social engineering where large corporates are more secure. Despite bigger companies outperforming their smaller rivals in this area, it’s clear that human error poses the greatest risk to businesses of all sizes. Whether you’re a FTSE 100 company or an SME, the chances are that staff are your cybersecurity Achilles’ heel. 

“By training employees on using strong passwords and being more vigilant at spotting phishing attacks, businesses can significantly increase the strength of their IT security.” 

How to avoid phishing attacks 

As Baratt suggests, staff awareness training should be the primary defence strategy against phishing attacks. No matter what technological defences you have in place, malicious emails will slip through, and when that happens, the only thing standing between cyber criminals and your organisation’s sensitive information is your employees’ ability to spot the scam. 

Our Phishing Staff Awareness Course shows you and your employees exactly what to do in that situation. We break down how phishing emails work, how to spot them, what you should do when you receive one and what happens when people fall victim. 

Find out more about phishing >>