Joe Ferrara | September 22, 2016

Healthcare, Telecommunications, Retail and Transportation: How do they stack up on security awareness?

Breaches and attacks have run rampant through most major industries, and organizations are beginning to realize the importance of employee and stakeholder security awareness. Healthcare and retail have been in the brightest spotlights with the rise in ransomware and credit card data breaches in the last couple of years, but they are not the only ones facing this challenge. Wombat Security's Beyond the Phish™ report found that telecommunications and transportation industries also struggle with a wide range of security issues.

Ultimately, an organization can improve its defenses by elevating the level of security best practices across its employees and addressing the biggest offending categories of awareness.

Using Social Media Safely

Social media plays a big part in enterprises’ digital strategy, employee engagement and general community use (outside of work-related activities), but people are less aware of the risks social media poses than they should be. Out of all categories assessed in the Beyond the Phish report, end users struggled the most with safe social media use, missing 31 percent of the questions asked of them around what they should and shouldn’t do to keep themselves and their organizations safe. What’s more, only about half of security professionals are assessing users around this topic. As more than 75 percent of the working population is using social media, this shows us a concerning trend that organizations are not regularly advising employees about how to safely use these networks so many are tapping into. Of the industries surveyed, telecommunications performed the lowest, with education and retail not far behind. Many are not aware of the problem they have, and are hoping for the best -- but hope is not a strategy.

Evaluating an organization’s social media policy is one place to start when addressing this issue. If the decision is made to continue allowing employees to access social media on the job, specific guidelines on what and when sharing occurs should be developed to ensure internal operations are not compromised.

Protecting and Disposing of Data Securely

From the creation to disposal of data within an enterprise, there are many touch points along the way that can be exploited by malicious actors looking for access to sensitive company information. Think about how employees use USBs, delete files from hard drives, or secure work devices -- all of these things are part of a company’s responsibility to educate employees on to avoid leaking confidential data. Lackadaisical storage or disposal protocol can be extremely detrimental to protecting an organization’s most prized competitive details and "secret sauces", yet 30 percent of the questions assessed on this subject were missed by end users. This puts all stakeholders in danger, and while some industries performed more poorly than others, none did very well considering their interaction with extremely valuable information. The retail industry performed the lowest on this category, with transportation and technology coming in second and third lowest, respectively.

Organizations should develop and share a company-wide protocol for storing documents and sensitive company information so that all employees have no doubt where the latest client report should be stored, or whether the previous fiscal year financial breakdowns should be disposed of. Executives will be able to rest easy knowing their employees are up-to-speed on keeping company information confidential.

Identifying Phishing Threats

True awareness about how to handle an infrequently encountered situation comes down to the ability to change human behavior. Practice does not always make perfect, but it certainly increases your chances of performing well. The key is to be comfortable in similar scenarios to which you’ve rehearsed and have developed a broad understanding of red flags, potential impacts, and best practices. Achieving true awareness requires a combination of vulnerability and knowledge assessments, as well as effective education. When industries were assessed on simulated phishing attacks versus question-based evaluations, an interesting discrepancy between click rates and performance on assessments was uncovered, proving the need for both methods to measure success (or lack thereof). End users in the healthcare industry had a 13 percent click rate on simulated phishing attacks, yet missed 31 percent of the questions on this subject in assessments. Manufacturing and energy end users had only a 9 percent click rate, but missed 29 percent of questions on identifying phishing threats.

Simulated phishing is a great tool, but using that approach alone only provides a click/no-click measurement, and not a full scope debrief of a user’s knowledge level. Reviewing data from simulated attacks and knowledge assessments provides a clearer picture of employee competency with regard to recognizing and avoiding phishing attacks.

The industries listed above struggle the most with employee security knowledge, and the reasons for that vary greatly from lack of resources, to lack of focus, to simply not knowing issues exist in the first place. For all industries, consistent and effective education initiatives is one of the best ways to decrease the chances of a successful attack. But there must first be the recognition that education efforts should be prioritized along with all other security infrastructure initiatives.

Joe Ferrara is President and CEO, Wombat Security. Joining Wombat in 2011, Joe brings 20 years of experience in technology marketing, operations and management to his role as President and CEO. Recently Joe was a finalist for EY Entrepreneur Of The Year Western Pennsylvania and West Virginia and received a CEO of the Year award from CEO World. Joe has provided expert commentary and has spoken at numerous information security industry events including RSA Europe, the CISO Executive Network forum, ISSA International and information security regional conferences.