There’s no doubt about it – phishing plays a key role in today’s growing threat landscape. Our annual State of the Phish™ Report looks at data around tens of millions of simulated phishing emails sent over a one-year period, as well as a survey of infosec professionals and end users to gain a better idea of what the impact and understanding of phishing is today. And the results illustrate that phishing is still a primary attack vector, with 76% of respondents reporting their organization had been victimized by a phishing attack in 2016.
But what security awareness training topics are your end users falling for that go beyond just phishing attacks? We released our first Beyond the Phish™ Report last year to answer just that. Here’s a glimpse into some of the cybersecurity areas end users commonly miss the mark on when assessed.
While our data shows that more than 75% of the working population is permitted to access social networks on work devices, organizations are not regularly advising employees about best practices. They do not know how large of a problem they have and are just hoping for the best.
End users missed an alarming 31% of questions asked in this category — almost 1/3 of those presented — showing a lack of understanding about what they should and shouldn’t do to keep themselves and their organizations safe. The most frequent wrong answers related to identification of fake profiles and posts, which can be tricky to the untrained eye.
Remember, social networks are a gold mine for cybercriminals due to the ease at which scammers can sign up for an account and pose as someone else, a term sometimes referred to as “catfishing” or “farcing.” These types of social engineering scams are quite common, and pose real threats to an individual’s or organization’s information, finances, and reputation.
It’s important to remind end users that before accepting a friend request, they should ask themselves the following questions:
Users should look for posts that are out of the ordinary among their existing contacts, and keep an eye out for spelling and grammar errors in the updates they see. That’s usually a sign of trouble. For more tips on raising awareness of social media safety, refer to our blog post on social media habits your end users can implement today.
Within the context of the Beyond the Phish Report, questions in this category covered the lifecycle of data, from creation to disposal, and handling PII on a more general level. End users were asked about topics such as using USBs, deleting files from hard drives, and securing work devices.
One of the common misconceptions with end users is that there is technology in place that will protect them from being hacked, which means they feel they do not need to be terribly vigilant. So it comes as no surprise that end users, on average, missed 30% of the questions in this category.
Remind end users that it’s never a good idea to plug in a USB device into any port if they don’t know where it came from. Random USBs could appear in any area of your organization if an attacker gains access to your location. Additionally, more of a focus must be placed on communicating policies about sharing and storing PII. Make sure your end users are fully aware of the policies surrounding proper disposal of documents and electronic files that contain PII when they are no longer needed by the business.
To help your end users identify ways they can protect sensitive data, share our blog post on clean desk habits. You might also enjoy our take on the 2016 FBI hack, which shows how bad things can get when data is exposed.
Healthcare, retail, and financial institutions are likely to be particularly interested to know that end users performed less than desirably on questions relating specifically to standards compliance in both PCI DSS and HIPAA. Alarmingly, 27% of the questions were missed in this category.
It is very important to get your end users thinking about ways a breach could happen that they may not expect. In the healthcare industry, PHI is received multiple times a day, and is often shared with many departments, employees, and third parties. End users must realize that they share responsibility for protecting health data. Everyone who touches PHI has an obligation to keep it safe, and users can absolutely help prevent breaches — if they know how.
How Wombat Helps Healthcare Organizations Reduce End-User Risk
On the PCI DSS side, one of the most missed questions asked around this topic was: Is it safe for a call center employee to write a customer’s credit card number down in a personal notebook for later processing? The answer is a resounding no, but it seems end users would like to think otherwise. This is an important consideration for organizations like retailers, who might assume that their users have a clear understanding of these types of policies and behaviors.
Today, working outside of the office is very common. Whether traveling for work or working from home or at a local coffee shop, there are a lot of things to consider to keep data, networks, and equipment safe.
Topics in this category in the Beyond the Phish Report ranged from safe use of WiFi to practical physical security actions. It was surprising to learn that, of the infosec professionals who were surveyed for our report, more than half do not provide guidelines for employees to follow while traveling. This showed with end users, who missed 26% of questions in this category.
The most missed questions about this topic were related to safe use of WiFi, an essential practice with any internet-connected device, whether used for business or pleasure. Studies have shown that even IT-savvy professionals are reckless when it comes to WiFi use. Hold your end users to a higher standard. Perhaps with a little more direction for working outside the office — like installing a VPN on their mobile devices — they would have the knowledge they need to protect company data.
If you’d like to raise awareness about WiFi best practices with your end users, share these tips on our blog.
We recommend continuous assessment and training as a systematic approach to address the gaps in end-user cybersecurity awareness. If you begin with measurement, then you will know what topic areas to focus on and have a baseline to measure your success against going forward. Without measurement, you will have no way to confidently identify your threats or the understand progress you are making with your program.
To learn more about our interactive training modules and CyberStrength® Knowledge Assessments, visit our website.
Posted by Kym Harper on 04.11.17
Posted by Kym Harper on 04.11.17
Posted by Kym Harper on 04.11.17