Wombat Security’s Beyond the Phish™ Report looks at answers to nearly 20 million questions around nine different topics in Wombat’s Security Education Platform over the past two years to understand what areas end users still struggle with and what areas they are doing better it.
“Clearly, phishing is a focus area across the industry, but the efforts can’t stop there,” said Joe Ferrara, President and CEO of Wombat. “To reduce cyber risk in organizations, security education programs must teach and assess end users across many topic areas, like oversharing on social media and proper data handling. Many of these risky behaviors exacerbate the phishing problem.”
Key findings from the report that show room for improvement include:
With the rise in remote working and end users who value the ability to work outside of the office, organizations need to educate their employees on how to stay safe while they are outside the office. However, only 50% of companies are assessing employees about their telecommuting habits. Improper use of free WiFi, inattention to physical security, lax data protections, and the lack of security guidelines during travel led to 26% of questions missed by end users on this important topic.
“This is a topic that should be a part of every security awareness training program, particularly for today’s mobile workforce. Many employees are accessing corporate email and internal systems from mobile devices or remote locations. Do employees understand the risks of connecting to free WiFi networks? Do they know what a rogue hotspot is? Are they using strong passcodes or other locking mechanisms? Do they use VPNs? Do they understand the implications of malicious applications and over-reaching permissions,” Ferrara added.
While there is room for improvement in all risk areas, the report also highlights categories where employees have answered the highest percentage of questions correctly:
Wombat Security also surveyed hundreds of security professionals — customers and non-customers — about what security topics they assess on, and their confidence levels in their end users’ abilities to make good security decisions. Of the organizations that participated, 20% were in financial industries, 13% in technology, 11% in healthcare, and others in verticals including manufacturing, professional services, education, insurance, retail, energy, government, telecommunications, and consumer goods. You can download the full report here.