Skip to main content

Construction SMBs Face Increased Phishing Risk

By August 8, 2019Blog, Phishing

Phishing is an age-old problem that transforms every year, yet there are ways to fight it. Download our white paper here to find out how.

The construction sector became the most susceptible to phishing for small and medium business - meaning construction SMBs are over 30% likely to be phished.

Certain industries are more susceptible to being phished – that is what the results of KnowBe4’s annual survey repeatedly reveals. In 2018, insurance, manufacturing and technology companies overtook the nine other sectors surveyed by KnowBe4. Additionally, those micro-verticals with less than 1000 employees were also often more vulnerable to phishing.

The 2019 version of the study brought some new contenders to the forefront. While SMBs still remained more phish-prone (with a few exceptions), the construction sector became the most susceptible in the small and medium spaces, while hospitality capture the enterprise slot with the highest rate of phishing vulnerability in the study. The overall percentage of employees that fell for a simulated phishing test also rose from the previous year’s rate to 29.6 percent.

Employee Phish-prone Percentage

KnowBe4 defines susceptibility to phishing according to their Phish-prone Percentage (PPP) formula. This metric measures how many employees were successfully deceived by a simulated phishing test. The 2019 study submitted over 20 million test messages to approximately 9 million employees across 18,000 organizations. The baseline PPP across all industries was approximately 30 percent; a total of 19 industries were surveyed this year, with seven new additions from the 2018 study.

Size Matters in Cybersecurity

On top of industry, size was the next best indicator of an organization’s PPP. While hospitality businesses with more than 1000 employees experienced the single greatest phish-prone rate (48 percent), overall, larger businesses remained at or were well below the PPP average – transportation enterprises captured lowest rate at 16 percent.

In contrast, SMBs were more likely to have a higher than average PPP across the board, the only exception ironically being mid-sized hospitality companies. A few other industries experienced sporadic percentage drop-offs in the medium range, including utilities and legal services, with others actually seeing slight increases like banking and consulting practices.

However, the greatest trend was of businesses becoming more phish-prone the smaller they were, with only a scant few exceptions going the opposite direction. Examples of the former includes the professional and financial services, insurance, and manufacturing sectors, which remained on the list of highly phish-prone industries from last year’s study. This trend reflects the overall PPP for SMBs being noticeably higher than that of enterprises at 32.7 percent versus 27.9 percent.

Smaller construction organizations were by far the most susceptible to phishing out of all the SMB verticals, and the second most susceptible out of all of those surveyed after hospitality enterprises.


Construction Employees Always Vulnerable to Phishing

No matter the size, employees in construction firms retained a higher PPP, with only a slight drop-off from SMB to enterprises less than a percentage point between each segment. Those under 250 employees featured a 37.9 percent PPP, under 1000 saw 37.1 percent, and 1000+ were at 36.7 percent. This translates to those businesses having a close to 40 percent chance of being successfully phished.

Smaller construction organizations were by far the most susceptible to phishing out of all the SMB verticals, and the second most susceptible out of all of those surveyed after hospitality enterprises. The most common trend among the most vulnerable verticals is the amount of client data (especially on the financial side) they manage – and the lack of widespread controls they have in place to protect it, especially on the SMB level. Construction and manufacturing firms have consistently been targets of cybercriminals because of this, and will likely to continue to until the disconnect between operational security and individual practice becomes less widespread in the industry.

Prevent Phishing by Training Your Employees

Employees are both your weakest link and your best defense when it comes to network security. That is why the best way to fight phishing or any other cyber scam is to train your personnel to be able to spot the red flags from a mile away.

Learn more about our employee awareness training through Phishing Defender to prepare your business for the next phishing scam.

FormCraft - WordPress form builder