A study by Wombat Security Technologies of more than 70 million questions and answers identifies strengths and weaknesses tied both directly to phishing and threats beyond the phish. The Beyond the Phish report examines end-user knowledge of business-critical best practices such as data protection measures, mobile device security, safe social sharing and password hygiene. Understanding of these knowledge levels is critical as poor cyber hygiene in these areas can compound the phishing threat and weaken security postures in general.
Though there is a modest overall improvement in the rate of questions answered incorrectly compared to 2016, a drop of nearly 10%, gains and losses in various categories offset each other. In addition to analysing results by category level, Wombat also examined industry data to see how various industries compared on both a general and category-specific level.
“We continue to see in our year-over-year results that reinforcement and practice are critical to learning retention. As with any learned skill, organisations need to work on cyber security awareness and knowledge to see continual improvements,” said Joe Ferrara, President and CEO of Wombat. “Organisations that focus on building a culture of security and empowering their employees to be a part of the solution develop the most sustainable and successful security awareness training programs. By sharing our data in the Beyond the Phish Report, we hope to be a part of building those cultures and helping organisations successfully change behaviour in previously undiscovered areas of vulnerability.
The number one problem area for end users, with 26% of questions missed, is protecting confidential payment card and healthcare information. Users struggled the most with questions around the use of shared login credentials. Protecting mobile devices and information saw the most significant downgrade in performance year-over-year, with users struggling to understand the implications and ramifications of unsafe mobile applications and invasive permissions.
While there is always room for improvement with regard to managing end-user risk, the report also highlighted categories and industries in which employees are improving year-over-year and have answered the highest percentage of questions correctly. All industries saw an improvement over 2016 in questions around identifying phishing attacks. The rate of incorrectly answered questions was 24% on average in 2017 compared to 28% on average in 2016.
Social media use saw the largest year-over-year improvement, a positive trend as the use of social media platforms continues to rise globally. Working safely outside the office also showed a significant improvement year-over-year, which continues to be important to organisations as 43% of employees work remotely at least part of the time according to Gallup.
On average, end-users performed well on the new category around protecting yourself against scams, which focuses on the recognition of different types of social engineering techniques. As in 2016, the best understood category for end-users focused on password safety where only 12% of answers were incorrect in 2017.
Furthermore, the report shows it’s important for organisations to use a combination of simulated attacks and question-based knowledge assessments to evaluate their end users’ susceptibility to phishing attacks. For example, the report revealed an 18% click rate on phishing attacks with healthcare employees, yet 26% of questions around phishing were answered incorrectly in this same industry. Using both types of assessment tools gives a more complete picture of vulnerability.