Weak employee training is the main reason industries are left vulnerable to phishing cyber attacks — this is the conclusion of Proofpoint’s fourth annual 2019 Beyond the Phish report, based on data from 130 million questions answered by end users across 16 industries.
“Cybercriminals are experts at gathering personal information to launch highly targeted and convincing attacks against individuals,” said Amy Baker, vice president of Security Awareness Training Strategy and Development for Proofpoint. “Implementing ongoing and effective security awareness training is a necessary foundational pillar when building a strong culture of security. Educating employees about cyber security best practices is the best way to empower users to understand how to protect their and their employer’s data, making end users a strong last line of defence against cyber attackers.”
Cyber security training: Is it lacking in the enterprise?
Phishing exploits industry failings
Phishing remains a leading concern for organisations worldwide.
Overall, one in every four questions in the “Identifying Phishing Threats” and “Protecting Data Throughout Its Lifecycle” categories were answered incorrectly.
The report identified that while employees have become more familiar with the hallmarks of phishing attacks and the need to protect data, knowledge gaps remain that cybercriminals can exploit — 83% of global organisations experienced phishing attacks in 2018, underscoring the urgent need to educate end users.
Phishing: Avoiding the growing threat to business data
Employee training: the best of the best
• Communications was the best performing department, with end users correctly answering 84% of questions.
• Finance was the best performing industry, with end users answering 80% of all questions correctly.
• End users in the Insurance industry delivered the best performance in three of the 14 categories analysed, specifically excelling in the “Avoiding Ransomware Attacks” category.
• Customer Service, Facilities, and Security were among the worst performing departments, incorrectly answering an average of 25% of cyber security questions asked. As these are respondent-defined department designations, the Security department could include both physical security and cyber security.
• End users in the Education and Transportation industries struggled the most, on average, answering 24% of questions incorrectly across all categories.
• Hospitality employees scored the lowest in three categories, including “Physical Security Risks,” in which 22% of questions were answered incorrectly.
“Organisations need to be persistent and thorough in their security awareness training programs considering the end user behaviours that influence and impact overall security postures. This annual report reiterates the need to go beyond the use of phishing tests to evaluate end user susceptibility and cyber threat knowledge,” continued Baker. “It’s important to remember that not all security incidents stem from an attack; many issues result from limited awareness and poor security practices. Our research has shown a significant increase in safe behaviours when organisations take a well-managed, continuous approach to training across all cyber topics.”
Effective employee training
Effective education is imperative as cybercriminals have shifted away from attacking infrastructure and are targeting individuals, making a people-centric security approach essential.
Cyber security best practice: Definition, diversity, training, responsibility and technology