Last September, Wombat Security released its 2016 Beyond the Phish™ Report, a cybersecurity awareness analysis that showed end-user knowledge gaps that pose significant risk to organizations across a range of vertical markets, including healthcare, telecom, retail, and transportation.
The Beyond the Phish Report includes data compiled from nearly 20 million questions asked and answered about nine relevant cybersecurity topics, and Wombat’s analysis revealed that many cybersecurity threats that are prevalent today — such as oversharing on social media, unsafe use of WiFi, and company confidential data exposure — are not well-understood by end users. These activities are not only dangers in their own right, they are contributing factors to the ever-expanding phishing problem.
The report also includes results of a survey of hundreds of security professionals, who were asked about the security topics they assess on, and their confidence levels in their end users' abilities to make good security decisions. Key findings from the report showed there is room for improvement in a number of areas.
The Wombat research revealed that, outside of phishing, the following five cybersecurity topic are the least understood by end users and, as such, pose the greatest risk to organizations:
Safe use of social media was the biggest issue for end users; 31% of questions asked about this topic were missed. But organizations are partly to blame here, as only 55% of the infosec professionals surveyed said they assess employee knowledge about this topic.
On average, end users across all industries missed 30% of questions related to proper data protections and secure data disposal. (Within the Beyond the Phish Report, this category covers the lifecycle of data, from creation to disposal, and touches on Personally Identifiable Information [PII] on a more general level.) Though healthcare organizations proved most likely to assess their employees’ ability to protect data throughout its lifecycle, 31% of questions about this topic were missed by users in this industry.
Within this topic, Wombat asked end users questions specifically related to information safeguards covered in the Payment Card Industry Data Security Standard (PCI DSS) and Healthcare Insurance Portability and Accountability Act (HIPAA). While the Wombat report indicated that security teams are likely to assess their employees about this topic, it also showed that many industries struggled with securing sensitive financial and medical information. On average, across all end users asked, 27% questions on this topic were missed. Unfortunately, healthcare workers once again struggled more than the average user, missing 32% of the questions asked.
With the rise in remote employees and end users who value the ability to work outside the office, organizations need to better educate end users who work remotely and those who travel regularly. Improper use of free WiFi, inattention to physical security, lax data protections, and the lack of security guidelines during travel led to 26% of questions missed by end users on this important topic.
Nearly 80% of the security professionals surveyed by Wombat said they include assessments about this topic as part of their cybersecurity programs, and those efforts translated into one of the lowest average miss rates, with only 16% of these questions answered incorrectly by end users. However, some industries showed a need for improvement; employees in the transportation, retail, and healthcare sectors missed more than the average rate, increasing their vulnerability to malicious attacks.
Visit the Wombat Security website for a full copy of the 2016 Beyond the Phish Report.