Home / Blogs

Businesses Beware: Cybersecurity Awareness Varies Based on Job Function

Businesses should consider bumping phishing as an urgent concern in their cybersecurity agendas. To those still unacquainted, “phishing” refers to the use of fake emails, messages, and websites that fool users into giving up access to accounts and information or into installing malware through attachments.

It has become quite rampant over recent years. Attackers are using the method as a primary means to breach defenses, and with good reason: they work.

A report from breach simulation platform Cymulate showed that 56% of cyberattacks were successful because of initial phishing incidences. This is why it is critical for employees to be able to spot phishing emails and react accordingly should they encounter one.

However, a recent study from cybersecurity training platform Hoxhunt revealed that the skill of distinguishing between legitimate and phishing emails varies based on job functions. Analyzing the results of 24.7 million simulations, it appears that IT and software development departments were the most effective at identifying simulated phishing attacks as being potentially harmful, while sales and HR departments performed the worst.

Such gaps in cybersecurity awareness should prompt businesses to review their respective strategies, considering that their risks also correlate with the specific job functions that users have within their organizations.

Understanding How Job Functions Matter

It does seem natural for some departments to display more mature cybersecurity awareness compared to others. IT professionals should perform well, considering their role in organizations. They are the ones tasked with securing infrastructure, enacting security policies, and training colleagues. As security stewards, they should be models of proper cybersecurity behavior to everyone.

Software development departments were also among the top performers, indicating that technology skills do translate to cybersecurity.

For other departments, however, the lack of cybersecurity awareness can amplify certain risks for the entire organization. Each job function today deals with different types of sensitive data. Sales and customer service have access to customer information. Accounting departments work with financial data and can even have access to bank accounts. HR deals with employee and applicant data and other compliance information. This makes each of them prime targets of attack.

Businesses should work on reconciling the actual skill levels of their departments and the phishing attack trends that may be targeting these job functions.

For example, professional social network LinkedIn has become a popular service for HR departments to network with and recruit workers. The widespread use of the service among businesses contributes to its popularity as an impersonated organization in phishing messages. Fake emails claiming to be from LinkedIn have risen by 232% since February.

Hackers can also resort to business email compromise (BEC). A spoofed email from a supposed authority within the organization can be sent to the finance department, instructing it to execute fund transfers to the attacker’s account.

A carefully crafted phishing message can be enough to pull such attack off successfully—more so if an actual compromised email account of an authorized personnel is used to send out the message. Workers must be savvy enough to scrutinize every message they receive.

Knowing the Risks of Falling Victim

Falling victim to phishing attacks can have serious ramifications for businesses. Since an attack often serves as the initial breach in defenses, organizations can be exposed to further compromise, including BEC, data breaches, and ransomware.

BEC has become a growing concern among businesses over the past years. The FBI estimates that losses from BEC fraud amounted to $43 billion globally in 2021.

Aside from BEC, attackers can also perform ransomware attacks. Phishing messages can include links and attachments that are designed to encourage users to install ransomware into their devices. Ransomware locks users out of their files through encryption, forcing businesses to pay a ransom in exchange for decryption keys.

Estimates of average ransom costs vary, but they are often placed at the hundreds of thousands of dollars per attack. Then, there is also the cost of data loss and business interruption.

Aside from financial losses, data breaches resulting from phishing can expose businesses to fines due to violation of data privacy laws. Attacks can also negatively impact the company’s brand and lead to the loss of customer trust. Customers can also seek damages should their data be included in breaches. All things considered, just one successful attack can be quite catastrophic.

Committing to Improving Security

Today’s cybersecurity postures need to better factor in the growing phishing scourge. Investments in time, technology, and training have to be made to improve defenses.

Fortunately, the cybersecurity industry has been striving to provide better tools and services for companies to use. Organizations can now easily integrate stronger anti-phishing mechanisms such as better email and messaging services with robust and adaptive spam filters. Many of these are available as cloud-based services, enabling companies to quickly integrate them into their respective infrastructures.

However, since phishing exploits human vulnerabilities, businesses must also focus on improving workers’ cybersecurity skills. Cybersecurity awareness training teaches workers the right habits and behaviors to be able to spot, report, and avoid fake messages.

Rather than just offering generic training, companies should also consider formulating programs for specific job functions to address the skills gaps across departments. Standard practices and policies should also be updated to prevent and counteract the emerging targeted phishing attacks based on job functions.

By Evan Morris, Network Security Manager

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com


Sponsored byVerisign

New TLDs

Sponsored byRadix