As seen on Computer Weekly...
With just a month to go before the GDPR compliance deadline, many employees still don't know how to protect confidential data, a study shows
Employees are still struggling to understand how to protect confidential information, just 30 days before the compliance deadline for the EU’s General Data Protection Regulation (GDPR), a report claims.
In knowledge assessment quizzes, employees answered 25% of questions on protecting confidential information incorrectly, compared with 26% in 2017, showing they still lack full understanding of GDPR compliance-related topics, according to the 2018 Beyond the phish report from Wombat Security Technologies, the security awareness training division of Proofpoint.
In the category of protecting and disposing of data securely – which deals with secure management throughout the data lifecycle – end-users across all industries answered 23% of questions incorrectly, as they did in the protecting mobile devices and information category.
Employees also gave the wrong answer to 24% of questions on the identification and avoidance of phishing attacks, which shows why phishing continues to be such a widely used and successful attack method, according to the report, based on analysis of the answers to nearly 85 million questions posed to end-users across 12 categories and 16 industries.
The manufacturing and transport sectors fared the worst in the phishing identification category, answering 26% of questions incorrectly, but while the technology and defence industries fared the best, they still answered 22% of questions about phishing threats incorrectly.
Employees in telecommunications and manufacturing each received the lowest rankings in three of the 12 categories analysed for the report.
Another newly released report shows that nearly half of UK manufacturers have been hit by a cyber security incident. The report, by industry organisation EEF, calls for greater government focus on the specific security needs of the manufacturing sector.
According to the EEF report, a “worryingly large” 12% of manufacturers surveyed have no process measures in place to mitigate against the threat, only 62% of respondents said they train staff in cyber security, 34% said they do not offer cyber security training and 4% said they did not know.
“The Beyond the phish report illustrates the importance of combining the use of assessments and training across many cyber security topic areas, including phishing prevention,” said Joe Ferrara, general manager at Wombat.
“Our hope is that by sharing this data, infosec professionals will think more about the ways they are evaluating vulnerabilities within their organisations and recognise the opportunity they have to better equip employees to apply cyber security best practices and, as a result, better manage end-user risk.”
According to Wombat, the report validates the need for organisations to use a combination of simulated attacks and question-based knowledge assessments to evaluate their end-users’ susceptibility to phishing. There is a 9% average click rate on phishing tests across all industries and end-users incorrectly answered 24% of questions related to the identification and avoidance of phishing attacks.
“This indicates that organisations that are relying on simulated phishing tools alone are not getting a complete picture of their end-users’ understanding of, and susceptibility to, the many different tactics cyber criminals employ when crafting email-based social engineering attacks,” said Ferrara.
While there is always room for improvement with regard to end-user risk management, he said, the report also highlights categories and industries in which staff are improving year-on-year and have answered the highest percentage of questions correctly.
Employees in the education and technology industries, for example, each had top rankings in three of the 12 categories analysed for the report, while end-users performed the best in the avoiding ransomware attacks category, answering nearly 90% of questions correctly on average across all industries.
End-users also did well in the percentage of questions they answered correctly in the building safe passwords category (88%), protecting against scams (86%) and using social media safely (82%).