Gretel Egan | April 24, 2018

Wombat Security’s Beyond the Phish® Report Shows That Protecting Confidential Information Remains No. 1 Problem Area for End Users

End users show good understanding of how to avoid ransomware attacks but lack understanding of data protection techniques, including those mandated by the GDPR.

PITTSBURGH, April 24, 2018 – Wombat Security (Wombat), a division of Proofpoint and the leading provider of cyber security awareness training, today announces the release of its 2018 Beyond the Phish® Report, which provides analysis of nearly 85 million questions and answers posed to its customers’ end users — a significant increase from 70 million in the 2017 report — across 12 categories and 16 industries. The report identifies strengths and weaknesses related to phishing as well as a range of cybersecurity threats beyond the phish.

“As we come off a successful week at RSA Conference, the 2018 Beyond the Phish® Report again illustrates the importance of combining the use of assessments and training across many cybersecurity topic areas, including phishing prevention,” said Joe Ferrara, Wombat General Manager. “Our hope is that by sharing this data, infosec professionals will think more about the ways they are evaluating vulnerabilities within their organizations and recognize the opportunity they have to better equip employees to apply cybersecurity best practices and, as a result, better manage end-user risk.”

The 2018 Beyond the Phish® Report also validates the need for organizations to use a combination of simulated attacks and question-based knowledge assessments to evaluate their end users’ susceptibility to phishing. For example, though Wombat’s 2018 State of the Phish™ Report revealed a 9% average click rate on phishing tests across all industries, the Beyond the Phish® Report shows that end users incorrectly answered 24% of questions related to the identification and avoidance of phishing attacks. This indicates that organizations that are relying on simulated phishing tools alone are not getting a complete picture of their end users’ understanding of — and susceptibility to — the many different tactics cybercriminals employ when crafting email-based social engineering attacks.

Key areas from the report analysis that reveal room for improvement include the following:

  • End users again displayed the worst performance in the Protecting Confidential Information category, with 25% of questions missed, down marginally from 26% in 2017. This category covers compliance-related topics, including requirements related to the General Data Protection Regulation (GDPR). These results are particularly concerning with the looming GDPR enforcement date.
  • Employees in telecommunications and manufacturing each received the lowest rankings in 3 of the 12 categories analyzed for the report.
  • In the Protecting and Disposing of Data Securely category — which deals with secure management throughout the data lifecycle — end users across all industries answered 23% of questions incorrectly.

While there is always room for improvement with regard to end-user risk management, the 2018 Beyond the Phish® Report also highlights categories and industries in which employees are improving year-over-year and have answered the highest percentage of questions correctly:

  • End users incorrectly answered an average of 19% of questions across all categories and industries.
  • Employees in education and technology industries each had top rankings in 3 of the 12 categories analyzed for the report.
  • End users performed the best in the Avoiding Ransomware Attacks category, answering nearly 90% of questions correctly on average across all industries.

About the Beyond the Phish® Report

The 2018 Beyond the Phish® Report compiles data from nearly 85 million questions answered by the end users of Wombat Security customers in 12 categories across 16 industries. Results are based on CyberStrength® Knowledge Assessments and training challenges completed by end users via Wombat’s Security Education Platform, a cloud-based learning management system, from January 1, 2017, through December 31, 2017. You can view the full report results here.

About Wombat Security

Wombat Security, a division of Proofpoint, is the leading provider of information security awareness and training software to help organizations teach their employees secure behavior for enterprises. Their SaaS-based cybersecurity education solutions include an integrated platform of knowledge assessments, simulated attacks, and brief interactive training modules. Wombat's solutions help organizations reduce successful phishing attacks and malware infections up to 90%. The company has been recognized by Gartner as a Leader in the Magic Quadrant for Security Awareness Computer-Based Training Vendors for four years in a row. Founded in 2008, Wombat is helping mid-market, Fortune 1000, and Global 2000 customers to strengthen their cybersecurity defenses.


Wombat Security Contact

Samantha Harris



Gretel Egan
412-621-1484 x 136