Wombat Security, a division of Proofpoint, has released the 2018 edition of its annual Beyond the Phish® Report, a study that analyzes end-user knowledge across a range of cybersecurity topics. The underlying premise of the report is that organizations should not solely focus their security awareness training efforts on email-based social engineering, but expand their efforts beyond the phish in order to create a better informed workforce that applies cybersecurity best practices across all job functions, not just email management.
The Beyond the Phish Report compiles data from nearly 85 million questions asked and answered by end-users across 12 cybersecurity topics and 16 industries. The data was gathered from question-based knowledge assessments and training assignments delivered by Wombat’s customers via the company’s cloud-based learning management system.
Wombat found that end-users are continuing to struggle with data management and data protections, particularly with regard to compliance-driven topics like the General Data Protection Regulation. In the study’s Protecting Confidential Information category—which explores end-user understanding of best practices and data management requirements related to standards like the GDPR, PCI DSS, and HIPAA—end-users answered an average of 25% of questions incorrectly across all industries, the worst performing category of the 12 analyzed. Users didn’t fare much better in the Protecting and Disposing of Data Securely category, incorrectly answering 23% of questions related to generally accepted techniques for managing data throughout its lifecycle.
With the GDPR live date looming and other implications of poor data management continually in play, it’s important to consider how your end-users’ knowledge levels might measure up to those identified in the Wombat report, and how lack of understanding of key cybersecurity topics might impact your organization’s overall security posture.
As you’ll note in the above chart, the report includes phishing in its analysis of end-user knowledge levels, and it makes the case that knowledge assessments—like those found in question-based surveys and training challenges—provide a different level of insight than click rates garnered from simulated phishing attacks.
To illustrate, Wombat compares the average phishing test click rates it measured for its 2018 State of the Phish Report with the results of end-user answers to questions within the Beyond the Phish Identifying Phishing Threats category—and there is a marked difference. While end-users across all industries had just a 9% average click rate on simulated phishing attacks, they incorrectly answered 24% of phishing-related questions.
Source: 2018 Beyond the Phish Report, Wombat Security
The report offers additional comparisons of this nature across multiple industries and also provides a breakdown of category performance for all 16 industries analyzed. A full copy of the Beyond the Phish Report is available on the Wombat Security website. For additional insights from industry experts, access the SecureWorld web conference, End-User Cybersecurity Behaviors: The Importance of Training Beyond the Phish, which is currently available for on-demand viewing.