Building Cyber Resilience Through Security Awareness: Key Insights from our Annual IRONSCALES 2024 Phishing Tournament

One of the most effective ways to strengthen an organization’s cybersecurity posture is through regular security awareness training and phishing simulations. IRONSCALES recently hosted the 2024 Phishing Tournament, a unique initiative that empowered organizations with insights into their vulnerabilities and helped prepare teams to detect and respond to phishing attacks effectively. 

Here’s a look at some highlights from the tournament and insights into how simulated training can transform organizational resilience. 

Phishing Tournament - By the Numbers 

The 2024 Annual Phishing Tournament saw significant engagement, with 171 companies participating and over 187,000 simulated phishing emails sent. Here are some key figures that illustrate the current state of phishing awareness and response: 

• Total Simulated Emails Sent: 187,372 

• People Lured (clicked): 3,498 

• Average Report Rate in First Campaign: 20.2% 

• Average Report Rate in Second Campaign: 22.7% 

• Average Click Rate in First Campaign: 2.2% 

• Average Click Rate in Second Campaign: 1.69% 

These numbers reveal a clear trend: employees' vigilance and awareness improved from the first to the second campaign.

Analysis of Improvements

Here’s what this progress suggests: 

• Increased Report Rate: The rise in report rate (from 20.2% to 22.7%) shows that more employees are recognizing suspicious emails and taking action. This uptick suggests that initial training and simulations had a direct, positive impact on employee awareness. 

• Decreased Click Rate: With fewer employees lured by phishing emails in the second round, the reduced click rate (from 2.2% to 1.69%) highlights a growing understanding of phishing tactics and a greater reluctance to click on harmful links. 

The Value of Phishing Simulations

Running phishing simulations offers organizations a twofold benefit. First, employees gain hands-on experience identifying and responding to phishing attempts in a safe, controlled environment. Second, these exercises provide critical data that can shape future security awareness programs for the organization, ensuring resources are allocated to areas where they’re most needed. 

With insights from our 2024 Phishing Tournament, participating organizations now have data to: 

• Identify At-Risk Areas

  By analyzing report and click rates, organizations can identify where more training is needed. Employees or departments with higher click rates may benefit from focused training programs designed to boost security awareness. 

• Benchmark Progress

  Companies can compare their results with industry averages, setting realistic goals for improvement. For instance, small companies can aim to meet or exceed reporting and click rates observed in this year’s tournament. 

• Foster a Culture of Security

  Consistent training and simulation initiatives help create a security-first culture throughout the organization. Employees transform from being part of the problem to part of the solution, making the organization even safer. 

Moving From Defense to a Proactive Strategy 

Phishing simulations tools like those integrated with the IRONSCALES platform go beyond basic testing. They provide an opportunity for employees to experience firsthand the types of tactics attackers use—without real-world consequences. As employees learn and adapt, organizations move toward a proactive defense strategy, where threats are anticipated and addressed before they escalate. 

A look at some of the phishing tactics employees encountered in the tournament included: spear-phishing emails disguised as company announcements, urgent requests for login information from “senior leaders,” and even false emails suggesting a missed delivery. Recognizing these methods helps employees feel more confident and prepared when similar situations arise. 

Final Takeaway

As attackers get more creative and harness GenAI tools to craft sophisticated attacks, it’s essential to invest in ongoing training and real-world simulations. The IRONSCALES Annual Phishing Tournament emphasizes that phishing awareness is more than an IT issue, it’s a shared responsibility across the organization. When companies prioritize these simulations, they aren’t just testing employees—they’re preparing them. By adopting this proactive approach, organizations lay the foundation for a safer, more resilient future. 

Ready to make cybersecurity part of your company culture? Start small: schedule a phishing simulation, educate your team on phishing red flags, and encourage open discussions about cyber threats. Every step brings your organization closer to resilience.