wombatsecurity | September 01, 2016

Wombat Security Cyber Security Awareness Report Reveals Knowledge Gaps

Wombat Security Technologies (Wombat), a leading provider of cyber security awareness and training, has announced the release of its  Beyond the Phish™ Report, an analysis of nearly 20 million questions and answers indicating how well end users are able to identify and manage security threats within an enterprise. The report reveals the many cybersecurity threats that are prevalent today such as oversharing on social media,unsafe use of WiFi, and company confidential data exposure that are dangers in their own right,but could also be considered contributing factors to the ever growing problem of phishing.

In the last year, the number of organizations that reported being a victim of phishing has increased 13 percent, and 60 percent of enterprises said the rate of phishing attacks has increased overall.

“Clearly, phishing is a focus area across the industry, but the efforts can’t stop there,” said Joe Ferrara, President, and CEO of Wombat. “To reduce cyber risk in organizations, security education programs must teach and assess end users across many topic areas, like oversharing on social media and proper data handling. Many of these risky behaviors exacerbate the phishing problem.”
Key findings from the report that show room for improvement include:

  • The No. 1 problem area for end users, with 31 percent of questions missed, is safe social media use; yet only 55 percent of security professionals assess employee knowledge on this topic.
  • End users missed 30 percent of questions about protecting and disposing of data securely, second only to safe social media use.
  • Professional services and healthcare employees performed the lowest on the nearly 1 million questions asked about safe passwords.
  • While healthcare was the industry had the highest assessment percentage on end users' ability to protect confidential information, 31 percent of questions on the topic were missed by those in the industry.

Furthermore, with the rise in remote working and end users who value the ability to work outside of the office, organizations need to educate their employees on how to stay safe while they are outside the office. Improper use of free WiFi, inattention to physical security, lax data protections, and the lack of security guidelines during travel led to 26 percent of questions missed by end users on this important topic.

Derek Brink, CISSP, Vice President and Research Fellow, Aberdeen Group comments, “We should all be thankful to Wombat Security for sharing empirical data from nearly 20 million actual end-user assessments! The findings here are clear – organizations that measure user knowledge on a variety of security topics are gaining valuable insights into the most important factors of security risk, which can focus their efforts to address it. The depth of data, combined with a continuous, metrics-based approach to end-user security education, results in a solid knowledge improvement program.  In my own analysis, successfully changing user behaviors has helped Wombat customers reduce security-related risks by about 60 percent.”

While there is room for improvement in all risk areas, the report also highlights categories where employees have answered the highest percentage of questions correctly.

  • 90 percent of questions were answered correctly about building safe passwords.
  • 85 percent of questions were answered correctly on how to best protect against physical risks, such as ensuring no one follows you into a secure area or not leaving sensitive files on your desk.
  • 79 percent of organizations assess end users on internet safety, and 84 percent of the questions in this category were answered correctly.

"Wombat's founders pioneered the use of simulated phishing attacks, and as one of the leading providers of this type of assessment tool, we are and always will be a strong advocate for anti-phishing training. However, it is important for organizations to recognize that malicious emails are far from the only source of end-user risk,"says Ferrara. "Take security when you are outside your office, for example. This is a topic that should be a part of every security awareness training program, particularly for today's mobile workforce. Many employees are accessing corporate email and internal systems from mobile devices or remote locations. Do employees understand the risks of connecting to free WiFi networks? Do they know what a rogue hotspot is? Are they using strong passcodes or other locking mechanisms? Do they use VPNs? Do they understand the implications of malicious applications and over-reaching permissions?"

Ferrara adds that these are just some of the questions that organizations should be asking their end users -- and they should be following up with training if the answers show a lack of understanding.

For wombat CTO Trevor Hawthorn, he says Wombat likes to equate solid, effective cybersecurity education to marathon training.

"You don't take a jog around the block and find yourself prepared to run a marathon. The same can be said for managing end-user risk. You can't send a simulated phish or two, or do a one-hour training session once or twice a year and reasonably expect to see improvements in employee behaviors," Hawthorn says. "With security awareness and training, you are looking for noticeable, sustainable change over time. You simply won't get that with one-off activities."

About the Beyond the Phish Report:

The report evaluated nearly 20 million questions asked and answered in Wombat's Security Education Platform over the past two years, and highlights the areas end users struggle with the most and those with the most correct. Of the organizations that participated, 20% were in financial industries, 13% in technology, 11% in healthcare, and others in verticals including manufacturing, professional services, education, insurance, retail, energy, government, telecommunications, and consumer goods.

About Wombat Security Technologies

Wombat Security Technologies provides information security awareness and training software to help organizations teach their employee's secure behavior. Their SaaS-based cyber security education solution includes a platform of integrated broad assessments, as well as a library of simulated attacks and brief interactive training modules. Wombat's solutions help organizations reduce successful phishing attacks and malware infections up to 90%. Wombat, recognized by Gartner as a leader in the Magic Quadrant for Security Awareness Computer-Based Training Vendors, is helping Fortune 1000 and Global 2000 customer in industry segments such as finance and banking, energy, technology, higher education, retail and consumer packaged goods to strengthen their cyber security defenses.

Read the article on Security Info Watch