Imagine the following. An organisation invests hundreds of thousands of euros in cybersecurity every year. There is a SOC, there are penetration tests, and there is an extensive awareness programme. The CISO reports confidently to the board: the organisation is well protected. Until someone calls.
The attention gap
When a CISO discusses the threat landscape, ransomware, supply chain attacks, and cloud misconfigurations are at the top of the agenda. Vishing is rarely mentioned. That is not because the threat is small, but because the phenomenon falls outside the traditional domain of IT security.
Five reasons why vishing is underestimated
It sits outside the measurable world, there is no purely technical solution, it is seen as low-tech, incidents are not recognised or reported, and the human factor does not fit neatly into the framework.
The gap between perception and reality
On average, only 30 to 40 percent of employees perform correctly during a first vishing test. That means six to seven out of ten people disclose information.
From blind spot to deliberate choice
Measure your current resilience, integrate vishing into your awareness programme, and make it measurable and reportable.
