Some people just refuse to put the seatbelt on when they get in their car. An act that takes about two seconds. It’s a lot of protection—perhaps lifesaving—for a little bit of time and effort. And it’s not like they’re unaware of seatbelts or the protection they provide. I guess they just assume that when it comes to getting into a wreck, it can’t happen to them.

Unfortunately, when it comes to phishing attacks, most organizations adopt the same attitude: it can’t happen to me. Perhaps more shocking is that those responsible for the security in those organizations also underestimate the risk of phishing. That according to a new survey conducted by Survata for SlashNext entitled Phishing in the Dark.

According to the survey of cybersecurity decision makers in mid-size companies, “Ninety-five percent of respondents underestimate how frequently phishing is used at the start of attacks to successfully breach enterprise networks.

What’s also surprising from the survey is that the top concern (64%) of the IT pros is shortfalls in employee awareness training. It’s surprising because of how ineffective employee awareness training is.

The best employee awareness training out there is probably from KnowBe4. Even they admit with a full 365 days of training, 2.17% of employees will still get successfully phished. That means in a mid-size company of 400 employees, eight will still click on malicious links in phishing emails after a year of training.

Just as a reminder, the number of click it takes to infect the entire company is ONE.

The survey confirmed what we already know about ineffective training. “Threat actors’ tactics have evolved to using very fast-moving phishing sites and attack vectors that evade existing security controls. Phishing awareness training offers little to protect employees when phishing sites appear more legitimate and often manipulating users.”

The result is a lethal combination of factors that explain why so many companies are vulnerable to phishing attacks. Most think it can’t happen to them and those that do use ineffective methods to try and prevent it.

Fortunately, the survey did recommend a solution. It stated, “Such brief durations demand that organizations use real-time anti-phishing solutions that can detect a ma­licious phishing site in real time.”

That’s how you prevent phishing attacks. You assume it can happen to you and you assume that employees WILL click on malicious links in phishing emails and you respond accordingly with real-time protection that acts at the same speed as the hackers.

When you’re ready to believe it can happen to you and want to protect your company for just pennies a day per employee, head on over to our Advanced Threat Defense product. Try it risk free for 30 days.