Gretel Egan | January 17, 2018

Wombat Pinpoints Phishing Impacts and Key Regional, Industry, and Generational Differences in Fourth Annual State of the Phish™ Report

More than three-quarters of organizations experienced phishing attacks in 2017, but end-user security awareness is slow to improve globally

 

Pittsburgh, PA – January 17, 2018 Wombat Security Technologies (Wombat), the leading provider of cyber security awareness and training, today announces the release of its annual State of the Phish research report. The report findings demonstrate that the war against phishing is still on, with 76% of organizations experiencing phishing attacks in 2017 and nearly half of information security (infosec) professionals saying that the rate of attacks increased from 2016. The impacts of phishing were also more broadly felt than in 2016, with an 80+% increase in reports of malware infections, account compromise, and data loss related to phishing attacks.

Even so, Wombat customers show positive trends and progress within their programs, with declining click rates and increases in the number of suspicious emails identified and reported by end users. Unfortunately, awareness of phishing and ransomware has not trickled down to the average technology user, as revealed by the international third-party survey that was conducted as part of the State of the Phish research.  

The fourth annual State of the Phish Report assembles data from three main sources:

  • Analysis of tens of millions of simulated phishing attacks sent through Wombat’s Security Education Platform over a 12-month period
  • 10,000+ responses collected from quarterly surveys of Wombat’s database of infosec professionals (customers and non-customers) from more than 16 industries
  • Insights from a third-party survey of more than 3,000 technology users (1,000+ adults each in the US, UK, and Germany)

The 2018 report is structured differently than in prior years, with data presented via four overarching themes:

  • Business intelligence gathered from simulated phishing data and real-world experiences of infosec professionals
  • Factors that influence click rates and reporting (such as industry and program maturity) and data about use of consequence models
  • Key differences between organizational approaches to end-user risk management in the US and the UK
  • End-user knowledge levels related to phishing, ransomware, and smishing (SMS/text message phishing)

Also new this year is a more in-depth look at regional differences between US and UK approaches to cyber security education. Wombat found that UK organizations are less likely to assess end users’ susceptibility to phishing attacks; more frequently use passive security awareness and training tools (like videos, posters, and newsletters); and are much more likely to rely on yearly cybersecurity training. The report also reveals that US organizations — which favor interactive training methods delivered on a monthly or quarterly basis — are more than twice as likely to realize quantifiable results from their efforts.

“The State of the Phish Report shows that simulated phishing attacks are certainly valuable tools in the battle against social engineering attacks, but it also reinforces the need for CSOs, CISOs and their teams to take a broader view of cybersecurity education,” said Joe Ferrara, President and CEO of Wombat Security. “A cyclical approach to security awareness and training is the most effective. Organizations should employ a methodology that both raises awareness of cybersecurity best practices and teaches users how to employ these practices when they inevitably face a security threat.” 

 

Other key findings:

  • Continued momentum for anti-phishing education: For the fourth consecutive year, Wombat saw an increase in the number of organizations that assess and train their users on phishing avoidance.
  • Increased use of computer-based training: The number of organizations using computer-based training this year jumped from 62% in 2016 to 79% in 2017.
  • Smishing (SMS/text message phishing) as an emerging threat: 45% of infosec professionals reported experiencing phishing via phone calls (vishing) and SMS/text messaging (smishing). Yet, globally, the majority (67%) of technology users surveyed were not able to garner a guess as to what smishing is.
  • Generational differences: Across all populations, adults aged 55 and older significantly outpace millennials in their recognition of what phishing is.
  • German users struggle to define ransomware: Nearly 70% of surveyed technology users in Germany were unable to identify what ransomware is.

“This report is filled with new information and analysis that we hope will empower infosec professionals to more effectively develop their own security awareness and training programs and, in turn, better manage end-user risk,” said Amy Baker, VP of Marketing at Wombat Security. “As organizations continue to see the detriment phishing and ransomware can have on the health and longevity of a business, we want to equip them with the data they need to protect their customers’ and their own valuable information.”

 

###

 

About the State of the Phish™ Report

The fourth annual State of the Phish™ Report evaluated data from tens of millions of simulated phishing emails sent over a 12-month period from October 1, 2016 to September 30, 2017. Additionally, survey data from both infosec professionals and end users was incorporated to provide a better understanding of what the impact and knowledge of phishing was in 2017. While not a scientific study, the report offers insight into what proactive organizations are doing better to train their end users to identify and avoid phishing messages. You can download the full report here.

 

About Wombat Security Technologies

Wombat Security Technologies is the leading provider of information security awareness and training software to help organizations teach their employees secure behavior for enterprises. Their SaaS-based cybersecurity education solutions include an integrated platform of knowledge assessments, simulated attacks, and brief interactive training modules. Wombat's solutions help organizations reduce successful phishing attacks and malware infections up to 90%. The company has been recognized by Gartner as a Leader in the Magic Quadrant for Security Awareness Computer-Based Training Vendors for four years in a row. Founded in 2008, Wombat is helping mid-market, Fortune 1000, and Global 2000 customers in industry segments such as finance and banking, energy, technology, higher education, retail, and consumer packaged goods to strengthen their cybersecurity defenses.

 

Wombat Security Contact: 
Emily Eldridge
wombat@shiftcomm.com  
512-792-2544

 

Gretel Egan
press@wombatsecurity.com
412-621-1484 x 136