wombatsecurity | January 19, 2017

Annual State of Phish Report from Wombat Security Shows Simulated Phishing and Training Programs Driving Safer End-User Behavior

  • 76% of companies still report being a victim of phishing, a 10% decrease from 2015
  • 51% said the rate of phishing attacks is increasing, a 15% decrease from 2015

PITTSBURGH, Jan. 19, 2017 – Wombat Security Technologies (Wombat), the leading provider of cyber security awareness and training, today announces the release of its annual research report, The State of the Phish™. The report reveals some positive trends, including a 64% increase in organizations measuring end user risk from 2015 to 2016. However, 76% of infosec professionals still report their organizations being victims of a phishing attack and 51% said the rate of attacks is increasing – both data points are decreases from 2015 to 2016, illustrating that while training and education is working, the threat of attacks continues to remain high.

The third annual State of the Phish report analyzed data from tens of millions of simulated phishing emails over 12 months – a 155% increase in the number of emails looked at in the previous report – as well as more than 500 survey responses from infosec professionals and more than 2,000 answers from employed computer users in the U.S. and the U.K. on their phishing knowledge and behavior.

Thirty-eight percent of infosec professionals who reported a phishing attack cited a disruption of employee activity as the largest impact on their organization compared to data loss or compromised accounts. According to the 2015 Ponemon Institute paper, The Cost of Phishing and the Value of Employee Training, lost employee productivity is the largest cost associate with phishing at roughly $1.8 million for a 10,000-person company.

Consumers were surveyed to test knowledge awareness not only on phishing, but also ransomware. When asked, “What is phishing?”, 65% of those surveyed in the U.S. answered correctly. However, 52% were not even able to make a guess on “what is ransomware?”. End users who don’t recognize or understand the risks of ransomware are also unlikely to practice safe behaviors such as properly backing up files which can reduce the effectiveness of a ransomware attack.

“Social attacks take advantage of employees trying to be helpful so it stands to reason that social awareness of attack methods plays a critical role in protecting against phishing,” said Eric Ogren senior security analyst at 451 Research. “Enterprises with corporate phishing education programs empower employees to help protect themselves and the business.”

Despite an increase on the general awareness of the concept of phishing, end users continue to make their organization vulnerable through other risky behaviors such as checking personal email on work devices and keeping work data on their personal devices. The consumer survey showed a key cultural difference between U.S. and U.K. employees in how much they blur the lines between work and home. In the U.S., 49% of those surveyed reported checking their work email on their personal phone compared to 29% in the U.K.; and 50% of the respondents in the U.S. admitted to checking personal email on their work computers compared to 31% in the U.K.

“Staying vigilant and implementing a Continuous Training Methodology is key to securing organizations,” said Joe Ferrara, President and CEO of Wombat. “We’ve seen an increase in organizations making an investment in an end user security training and awareness program with 66% of infosec professionals now measuring their organization’s susceptibility to phishing and 92% training end users on how to identify and avoid phishing attacks.”

Other key findings:

  • Simulated phishing fail rate: End-users are more likely to fall for a simulated phishing email they would expect to find in their work inbox rather than a consumer related item. One of the highest Wombat phishing template average failure rates is 34% from a message called “Message from Administrator” that asks the user to click on the link if they feel they received the message in error or didn’t sign up for a certain account.
  • Spear phishing: 61% of companies reported experiencing a targeted attack, or spear phishing.
  • Patching updates: While Wombat’s ThreatSim® simulated phishing tool showed that customers made significant improvements in patching out-of-date software from 2015 to 2016, there are common pieces of software that remain out-of-date: Adobe PDF (31% of the time), Microsoft Silverlight (17%), Adobe Flash (12%) and Java (8%).
  • Technology protection: Overall changes in technology utilized by organizations to reduce the risk of phishing includes the addition of email/spam filters (94%), advanced malware analysis (63%), outbound proxy protection (48%), and URL wrapping (31%).
  • Industry breakdown: Several industries have shown a high percentage of improvement in click rates year over year. These include: professional services (47%), technology (32%), energy (27%), telecommunications (26%) and finance (19%). These large improvement percentages are driven by their commitment to training programs and measurement.

About the State of the Phish
The third annual State of the Phish report evaluated data from tens of millions of simulated phishing emails sent over a 12-month period from October 1, 2015 to September 30, 2016 – a 155% increase in the number of emails analyzed in the 2016 report. Additionally, survey data from both infosec professionals and end users was incorporated to provide a better understanding of what the impact and knowledge-base of phishing was in 2016. While not a scientific study, the report offers insight into what proactive organizations are doing better to train their end users to identify and avoid phishing messages. You can download the full report here.

About Wombat Security Technologies
Wombat Security Technologies provides information security awareness and training software to help organizations teach their employees secure behavior. Their SaaS-based cyber security education solution includes a platform of integrated broad assessments, as well as a library of simulated attacks and brief interactive training modules. Wombat's solutions help organizations reduce successful phishing attacks and malware infections up to 90%. Wombat, recognized by Gartner as a leader in the Magic Quadrant for Security Awareness Computer-Based Training Vendors, is helping Fortune 1000 and Global 2000 customer in industry segments such as finance and banking, energy, technology, higher education, retail and consumer packaged goods to strengthen their cyber security defenses.

Wombat Security Contact:
Julie Frey

Susan Mackowiak
412-621-1484 x 126