RSI Security

Blog

  • Weekly Threat Report: Three Critical Zero-Day Vulnerabilities

    Weekly Threat Report: Three Critical Zero-Day Vulnerabilities

    From edge firewalls to business-critical applications and web browsers, attackers are actively exploiting zero-day vulnerabilities across the digital ecosystem. This week, three high-severity threats have surfaced, exposing core systems to remote code execution and full compromise. Organizations must act quickly to mitigate these risks and secure exposed infrastructure.

    (more…)

  • Top Benefits of Hiring a vCISO

    Top Benefits of Hiring a vCISO

    Cybersecurity leadership is critical to every organization’s success, and that’s where vCISO services make a difference. As data breaches and ransomware attacks rise globally, businesses face billions in losses every year. Cybersecurity Ventures’ 2024 Cybercrime Report projects that cybercrime will cost the global economy $10.5 trillion annually by 2025, up from $3 trillion in 2015. These losses stem from data destruction, theft, fraud, and reputational harm.

    To combat this, governments are tightening cybersecurity regulations, and organizations are turning to virtual Chief Information Security Officer (vCISO) services to strengthen their defenses and meet compliance demands.

    (more…)

  • Phishing Risk by Industry 2025: Benchmarks & Threat Insights

    Phishing Risk by Industry 2025: Benchmarks & Threat Insights

    Phishing Risk continues to dominate the threat landscape in 2025. As attackers evolve their tactics to bypass technical defenses, businesses face a critical question: How likely are employees to fall for a phishing attempt?

    KnowBe4’s latest Phishing by Industry Benchmarking Report 2025 provides a data-driven answer. Based on results from 56 million simulated phishing tests across 55,000+ organizations, the report reveals average Phishing-Prone Percentages (PPP) across industry sectors, company sizes, and regions.Let’s explore the top takeaways, and how to proactively reduce your organization’s phishing risk.

     

    What is the Phishing-Prone Percentage (PPP)?

    The Phishing-Prone Percentage (PPP) is the percentage of users who clicked on a simulated phishing email during testing. It reflects how vulnerable your employees are to phishing before any training.

    In the 2025 benchmarking study, KnowBe4 analyzed simulation results across:

    • 19 different industry sectors
    • 9 geographic regions
    • 3 company size categories

    The findings deliver critical insight into how susceptible specific verticals are, and how well training programs actually work.


    Initial Phishing Risk in 2025: Benchmarking by Industry

    The average baseline PPP across all industries was 34.3 percent, meaning over one in three employees clicked on a phishing link without training. But some industries performed significantly worse.

    Industries with the Highest Initial PPPs:

    • Hospitality – 52.9%
    • Education – 50.2%
    • Pharmaceuticals – 48.2%
    • Healthcare & Medical – 46.9%
    • Energy & Utilities – 45.8%

    These sectors are high-risk due to sensitive data, high employee turnover, or frequent external communication, all factors that increase phishing vulnerability.


    Industries with the Lowest Initial PPPs:

    • Technology – 28.5%
    • Finance & Banking – 29.8%
    • Insurance – 30.1%

    Organizations in these industries tend to have more mature cybersecurity programs and stricter access controls.

     

    Phishing Risk by Company Size

    Company size plays a role in phishing vulnerability, but not in the way many expect:

    • Small organizations (1–249 employees): More vulnerable due to limited resources
    • Mid-sized organizations (1,000–2,500 employees): Highest average PPP across the board
    • Large enterprises (10,000+ employees): Lower PPPs thanks to stronger governance and layered defenses

    Regardless of size, no organization is immune, especially without ongoing training.

     

    [su_button url=”https://www.rsisecurity.com/third-party-risk-management/” target=”blank” style=”flat” size=”11″]Assess your Third Party Risk Management[/su_button]

     

    Training Works: How PPP Drops Over Time

    The most impactful takeaway from KnowBe4’s 2025 report? Security awareness training works, fast and sustainably.

    Organizations that implemented consistent phishing simulations and training saw a massive drop in PPP:

    Timeline After Training Average PPP
    Initial Baseline 34.3%
    After 90 Days 17.2%
    After 12 Months 4.6%

    That’s an 86 percent reduction in phishing vulnerability over one year.

     

    Phishing Tactics: What Lures Are Employees Falling For?

    KnowBe4’s simulations use real-world phishing templates designed to mimic what attackers actually send. The most effective lures in 2025 include:

    • IT alerts: “Password expired. Click here to reset.”
    • Delivery notifications: “FedEx: Your package is delayed.”
    • HR notices: “Policy update: View changes to PTO benefits.”
    • Account security warnings: “Suspicious login detected.”

    These messages rely on urgency, fear, or curiosity, triggering emotional responses before critical thinking kicks in.

     

    How to Reduce Phishing Risk in Your Organization

    Based on the 2025 benchmark data, here are the most effective strategies for reducing phishing exposure:

    • Invest in Security Awareness Training: Train employees continuously, not just once a year. Tailor content by department and role.
    • Launch Ongoing Phishing Simulations: Test your workforce with simulated phishing campaigns. Use results to identify high-risk users.
    • Measure Your Own PPP and Benchmark It: Compare your phishing-prone rate against KnowBe4’s industry averages to assess your risk.
    • Layer Technical Controls: Use secure email gateway, DNS filtering, and multi-factor authentication to block phishing payloads.
    • Build a Security-First Culture: Reward users for reporting suspicious emails and normalize asking IT for help.

     

    In Closing: Understand the Risk, Train to Prevent It

    The Phishing by Industry Benchmarking Report 2025 underscores a hard truth: technical defenses alone aren’t enough. People are the last line of defense, and often the first target.

    The most at-risk industries in 2025 are those that interact with sensitive data, the public, or third-party vendors. But no sector is truly safe without training.

    Want to benchmark your organization’s PPP and improve employee resilience? RSI Security provides tailored phishing simulation services, role-based awareness training, and advisory to help reduce human cyber risk.

     

    Schedule A Third Party Risk Management service


  • Your Web Application Penetration Testing Checklist

    Your Web Application Penetration Testing Checklist

    If your organization builds or relies on web applications for critical operations, web application penetration testing is essential. This updated guide follows OWASP’s latest standards and aligns with RSI Security’s risk-informed approach to testing. Regular penetration testing helps organizations uncover vulnerabilities, fix security gaps, and ensure their applications are resilient against evolving cyber threats. (more…)

  • What are the SOC 2 Processing Integrity Controls?

    What are the SOC 2 Processing Integrity Controls?

    SOC 2 compliance is essential for service organizations that want to prove their security and operational practices meet industry standards. One of the key trust service criteria in a SOC 2 audit is processing integrity. This principle focuses on ensuring that data processing is accurate, complete, timely, and authorized, supported by specific controls across objectives, inputs, processes, outputs, and storage.

    Is your organization preparing for a SOC 2 audit? Schedule a consultation today to assess your readiness.

    (more…)

  • What is the Difference Between a VA Scan and a Pen Test?

    What is the Difference Between a VA Scan and a Pen Test?

    In cybersecurity, identifying vulnerabilities is only half the battle. To build a strong defense, organizations must regularly scan for weaknesses and test their systems through penetration testing. Penetration testing and vulnerability assessments are both essential, but they serve different purposes.

    This guide explains how each works, when to use them, and how they can work together to protect sensitive data and critical systems.

     

    (more…)

  • Top Cybersecurity Threats This Week: SolarWinds Flaw, Airport Ransomware, Oracle Exploits

    Top Cybersecurity Threats This Week: SolarWinds Flaw, Airport Ransomware, Oracle Exploits

    This week’s top cybersecurity threats reveal how attackers are targeting core enterprise systems, critical infrastructure, and trusted internal tools to gain access and disrupt operations. A critical vulnerability in SolarWinds Web Help Desk, a ransomware attack that grounded airport systems across Europe, and stealthy abuses of Oracle Database Scheduler functionality all underscore the evolving nature of today’s threat landscape.

    (more…)

  • How to Keep Your HIPAA Compliance Efforts Up to Date

    How to Keep Your HIPAA Compliance Efforts Up to Date

    Sensitive patient health information is a high-value target for hackers, and the frequency and severity of healthcare data breaches continue to rise. For example, 142 healthcare breaches exposed more than 3.15 million patient records in just the second quarter of 2018. As data breaches increase year over year, it’s critical for medical practices and healthcare organizations to ensure proper protection and handling of personal health information. The Health Information Technology for Economic and Clinical Health Act (HITECH) expanded the reach of HIPAA (Health Insurance Portability and Accountability Act), making HIPAA compliance essential across a broader range of organizations. Whether you operate a healthcare facility or provide related services, understanding and maintaining HIPAA compliance is key to protecting sensitive patient data and avoiding costly violations.

     

    (more…)

  • Your Guide to Attestation Services and SOC 2 Audits

    Your Guide to Attestation Services and SOC 2 Audits

    Demonstrating a commitment to data security is no longer optional—it’s expected. If your organization handles sensitive data, provides IT services, or operates within regulated industries, you’ll need more than policies in place—you’ll need to prove those controls work. That’s where attestation services governed by the American Institute of Certified Public Accountants (AICPA) come in.

    (more…)

  • Cybersecurity Threats 2025 | SVG, AsyncRAT, Cisco VPN & AI

    Cybersecurity Threats 2025 | SVG, AsyncRAT, Cisco VPN & AI

    A new wave of cybersecurity threats is reshaping the digital security landscape this week. Attackers are deploying innovative techniques, such as hiding malware inside SVG images and hijacking remote monitoring tools for stealthy AsyncRAT deployment. At the same time, Cisco has issued a warning about a critical VPN vulnerability, while experts are raising concerns about the growing risk of AI-driven zero-day attacks.

    These developments show how cybercriminals are blending creativity with technical sophistication to bypass traditional defenses. Organizations need to stay proactive in monitoring and responding to these evolving threats.

    (more…)