In the last year, the number of organizations that reported being a victim of phishing has increased 13 percent, and 60 percent of enterprises said the rate of phishing attacks has increased overall.
“Clearly, phishing is a focus area across the industry, but the efforts can’t stop there,” said Joe Ferrara, President, and CEO of Wombat. “To reduce cyber risk in organizations, security education programs must teach and assess end users across many topic areas, like oversharing on social media and proper data handling. Many of these risky behaviors exacerbate the phishing problem.”
Key findings from the report that show room for improvement include:
Furthermore, with the rise in remote working and end users who value the ability to work outside of the office, organizations need to educate their employees on how to stay safe while they are outside the office. Improper use of free WiFi, inattention to physical security, lax data protections, and the lack of security guidelines during travel led to 26 percent of questions missed by end users on this important topic.
Derek Brink, CISSP, Vice President and Research Fellow, Aberdeen Group comments, “We should all be thankful to Wombat Security for sharing empirical data from nearly 20 million actual end-user assessments! The findings here are clear – organizations that measure user knowledge on a variety of security topics are gaining valuable insights into the most important factors of security risk, which can focus their efforts to address it. The depth of data, combined with a continuous, metrics-based approach to end-user security education, results in a solid knowledge improvement program. In my own analysis, successfully changing user behaviors has helped Wombat customers reduce security-related risks by about 60 percent.”
While there is room for improvement in all risk areas, the report also highlights categories where employees have answered the highest percentage of questions correctly.
"Wombat's founders pioneered the use of simulated phishing attacks, and as one of the leading providers of this type of assessment tool, we are and always will be a strong advocate for anti-phishing training. However, it is important for organizations to recognize that malicious emails are far from the only source of end-user risk,"says Ferrara. "Take security when you are outside your office, for example. This is a topic that should be a part of every security awareness training program, particularly for today's mobile workforce. Many employees are accessing corporate email and internal systems from mobile devices or remote locations. Do employees understand the risks of connecting to free WiFi networks? Do they know what a rogue hotspot is? Are they using strong passcodes or other locking mechanisms? Do they use VPNs? Do they understand the implications of malicious applications and over-reaching permissions?"
Ferrara adds that these are just some of the questions that organizations should be asking their end users -- and they should be following up with training if the answers show a lack of understanding.
For wombat CTO Trevor Hawthorn, he says Wombat likes to equate solid, effective cybersecurity education to marathon training.
"You don't take a jog around the block and find yourself prepared to run a marathon. The same can be said for managing end-user risk. You can't send a simulated phish or two, or do a one-hour training session once or twice a year and reasonably expect to see improvements in employee behaviors," Hawthorn says. "With security awareness and training, you are looking for noticeable, sustainable change over time. You simply won't get that with one-off activities."
The report evaluated nearly 20 million questions asked and answered in Wombat's Security Education Platform over the past two years, and highlights the areas end users struggle with the most and those with the most correct. Of the organizations that participated, 20% were in financial industries, 13% in technology, 11% in healthcare, and others in verticals including manufacturing, professional services, education, insurance, retail, energy, government, telecommunications, and consumer goods.
Wombat Security Technologies provides information security awareness and training software to help organizations teach their employee's secure behavior. Their SaaS-based cyber security education solution includes a platform of integrated broad assessments, as well as a library of simulated attacks and brief interactive training modules. Wombat's solutions help organizations reduce successful phishing attacks and malware infections up to 90%. Wombat, recognized by Gartner as a leader in the Magic Quadrant for Security Awareness Computer-Based Training Vendors, is helping Fortune 1000 and Global 2000 customer in industry segments such as finance and banking, energy, technology, higher education, retail and consumer packaged goods to strengthen their cyber security defenses.