Wombat Security, a division of Proofpoint and the leading provider of cyber security awareness training, announces the release of its 2018 Beyond the Phish Report, which provides analysis of nearly 85 million questions and answers posed to its customers' end users — a significant increase from 70 million in the 2017 report — across 12 categories and 16 industries. The report identifies strengths and weaknesses related to phishing as well as a range of cybersecurity threats beyond the phish.
"As we come off a successful week at RSA Conference, the 2018 Beyond the Phish Report again illustrates the importance of combining the use of assessments and training across many cybersecurity topic areas, including phishing prevention," said Joe Ferrara, Wombat General Manager. "Our hope is that by sharing this data, infosec professionals will think more about the ways they are evaluating vulnerabilities within their organizations and recognize the opportunity they have to better equip employees to apply cybersecurity best practices and, as a result, better manage end-user risk."
The 2018 Beyond the Phish® Report also validates the need for organizations to use a combination of simulated attacks and question-based knowledge assessments to evaluate their end users' susceptibility to phishing. For example, though Wombat's 2018 State of the Phish™ Report revealed a 9% average click rate on phishing tests across all industries, the Beyond the Phish® Report shows that end users incorrectly answered 24% of questions related to the identification and avoidance of phishing attacks. This indicates that organizations that are relying on simulated phishing tools alone are not getting a complete picture of their end users' understanding of — and susceptibility to — the many different tactics cybercriminals employ when crafting email-based social engineering attacks.
Key areas from the report analysis that reveal room for improvement include the following:
- End users again displayed the worst performance in the Protecting Confidential Information category, with 25% of questions missed, down marginally from 26% in 2017. This category covers compliance-related topics, including requirements related to the General Data Protection Regulation (GDPR). These results are particularly concerning with the looming GDPR enforcement date.
- Employees in telecommunications and manufacturing each received the lowest rankings in 3 of the 12 categories analyzed for the report.
- In the Protecting and Disposing of Data Securely category — which deals with secure management throughout the data lifecycle — end users across all industries answered 23% of questions incorrectly.
While there is always room for improvement with regard to end-user risk management, the 2018 Beyond the Phish®Report also highlights categories and industries in which employees are improving year-over-year and have answered the highest percentage of questions correctly:
- End users incorrectly answered an average of 19% of questions across all categories and industries.
- Employees in education and technology industries each had top rankings in 3 of the 12 categories analyzed for the report.
- End users performed the best in the Avoiding Ransomware Attacks category, answering nearly 90% of questions correctly on average across all industries.