wombatsecurity | September 09, 2016

Beyond The Phish Report 2016

Phishing continues to be a large and growing problem for organizations of all sizes. As pioneers in the use of simulated phishing attacks,  Wombat Security, strongly recommends organizations make anti-phishing education the foundation of their security awareness and training programs. However, it’s also recommended to think beyond the phish to assess and educate end users about the many cybersecurity threats that are prevalent (and emerging) in today’s marketplace. Risky behaviors like lax data protection, oversharing on social media and improper use of WiFi are all dangers in their own right – and could be considering contributing factors to the ever-growing phishing problem.

Wombat Security’s Beyond the Phish™ Report looks at answers to nearly 20 million questions around nine different topics in Wombat’s Security Education Platform over the past two years to understand what areas end users still struggle with and what areas they are doing better it.

“Clearly, phishing is a focus area across the industry, but the efforts can’t stop there,” said Joe Ferrara, President and CEO of Wombat. “To reduce cyber risk in organizations, security education programs must teach and assess end users across many topic areas, like oversharing on social media and proper data handling. Many of these risky behaviors exacerbate the phishing problem.”

Key findings from the report that show room for improvement include:

  • The No. 1 problem area for end users, with 31% of questions missed, is safe social media use; yet only 55% of security professionals assess employee knowledge on this topic.
  • Professional services and healthcare employees performed the lowest on the nearly 1 million questions asked about safe passwords.
  • Additionally, end users missed 30% of questions about protecting and disposing of data securely, second only to safe social media use.
  • While healthcare was the industry that had the highest assessment percentage on end users’ ability to protect confidential information, 31% of questions on the topic were missed by those in the industry.

With the rise in remote working and end users who value the ability to work outside of the office, organizations need to educate their employees on how to stay safe while they are outside the office. However, only 50% of companies are assessing employees about their telecommuting habits. Improper use of free WiFi, inattention to physical security, lax data protections, and the lack of security guidelines during travel led to 26% of questions missed by end users on this important topic.

“This is a topic that should be a part of every security awareness training program, particularly for today’s mobile workforce. Many employees are accessing corporate email and internal systems from mobile devices or remote locations. Do employees understand the risks of connecting to free WiFi networks? Do they know what a rogue hotspot is? Are they using strong passcodes or other locking mechanisms? Do they use VPNs? Do they understand the implications of malicious applications and over-reaching permissions,” Ferrara added.

While there is room for improvement in all risk areas, the report also highlights categories where employees have answered the highest percentage of questions correctly:

  • 90% of questions were answered correctly about building safe passwords.
  • 85% of questions were answered correctly on how to best protect against physical risks, such as ensuring no one follows you into a secure area or not leaving sensitive files on your desk.
  • 79% of organizations assess end users on internet safety, and 84% of the questions in this category were answered correctly.

Wombat Security also surveyed hundreds of security professionals — customers and non-customers — about what security topics they assess on, and their confidence levels in their end users’ abilities to make good security decisions. Of the organizations that participated, 20% were in financial industries, 13% in technology, 11% in healthcare, and others in verticals including manufacturing, professional services, education, insurance, retail, energy, government, telecommunications, and consumer goods.  You can download the full report here.

Read the article on Information Security Buzz