Cybersecurity Training Alone is Insufficient to Prevent a Phishing Attack by Brandon Bowers

Posted on July 08, 2024 by Brandon Bowers

Phishing scams and business email compromises (BECs) continue to make headlines, holding the titles as the most common cybersecurity breach method and the most frequently reported crimes to the FBI’s Internet Crime Complaint Center (IC3). Yet, even as businesses step up efforts to help employees learn to recognize the warning signs of these attacks, criminals are often one step ahead, developing newer, more sophisticated and elaborate schemes that are increasingly difficult to detect. In this environment, employee training alone is not enough to protect a business from a breach. Additional layers of security are required.

In a phishing attack, criminals impersonate a trusted person or entity, including victims’ own coworkers and business partners, to trick their targets into sharing sensitive information, such as private business records, the personally identifying information of employees and customers and even credentials for network access. The bait, which victims can receive via email, text message or phone call, appears to come from someone the recipient knows and includes an urgent request for payment or other sensitive information that criminals can then capture and use to exploit network vulnerabilities. Victims may also be lured into opening an attachment or clicking on a link that ultimately downloads malware or holds the organization’s entire digital and cyber network hostage.

Cybersecurity awareness training is critical to help businesses educate their staff and improve the odds that they will not fall victim to a phishing scam. However, there are no guarantees that your busy employees will always recognize the warning signs of a phishing attempt and avoid taking scammers’ bait. According to several studies, 74 percent of all cybersecurity breaches are caused by human error[1][2], and more than 66 percent of companies believe that their employees are putting their organizations at risk through the misuse of email, oversharing company information on social media and careless web browsing.[3]

The fact is that there is not one silver bullet that can protect businesses from the growing risks of phishing attacks. Instead, companies of all sizes must employ a multi-pronged approach to cybersecurity that includes strong policies, mandatory threat training and a robust security system that may consist of the following elements:

About the Author: Brandon Bowers is director of Managed Cyber Security Solutions with Berkowitz Pollack Brant Advisors + CPAs, where he provides businesses, professional services firms and family offices with business continuity and recovery, cybersecurity and fully outsourced help desk services. He can be reached at the CPA firm’s Ft. Lauderdale, Fla., office at (954) 712-7000 or

[1] Mimecast Human Risk and AI Framing the Future, 2024 State of Email & Collaboration Security

[2] Verizon 2024 Data Breach Investigations Report

[3] Mimecast Human Risk and AI Framing the Future, 2024 State of Email & Collaboration Security