Your company may be using the latest software, hardware and other resources to protect against cyber security threats but unless your employees are aware of the latest malware, ransomware and phishing attacks, the purpose of all the cyber security tools will be defeated. A recent report by Proofpoint, Beyond the Phish , revealed that employees were knowledgeable in certain areas of cybersecurity but lacking in other aspects.
Conducted between January 1 and February 28 of 2019, the audit questioned users across 16 different industries to gauge their awareness of phishing, ransomware, mobile device security, password hygiene, social media, and several other topics related to security. The data collected comprises almost 130 million questions answered by end users of Proofpoint’s corporate customers.
On an average, users answered 22% of the questions incorrectly. That’s up slightly from 19% in 2018, though Proofpoint acknowledged that its assessments were tougher this year than they were last year. Among the top topics that elicited incorrect answers were Identifying Phishing Attacks, Protecting Data Through its Lifecycle, Compliance-related Cybersecurity Directives, Protecting Mobile Devices and Information, and Using the Internet Safely. Users offered fewer incorrect responses with such topics as Avoiding Ransomware Attacks, Passwords and Account Authentication, and Unintentional and Malicious Insider Threats.
Users’ knowledge regarding security questions varied across different industries. The highest percentage of incorrect answers were discovered in education, transportation, energy, healthcare, and manufacturing. The highest percentage of correct answers came from finance, telecommunications, technology, insurance, and government. The report also offered specific examples based on industry.
Knowledge also varied by topic. Users in transportation ranked highest in three categories: Passwords and Account Authentication, Protecting Mobile Devices and Information, and Working Safely Outside the Office. But they were challenged to identify factors related to phishing attacks. People in education did well at identifying physical security and Internet-based threats but didn’t perform well in such categories as Cybersecurity Concerns for Working Adults and Social Engineering and Related Scams.
To improve user understanding of security threats and issues, education is key. Spreading awareness among the employees plays a vital role in saving the organization from latest security threats. Not all security incidents are solely the result of an attack; many arise from poor user security practices and a general lack of awareness. Treat email-based phishing threats with the care and attention they deserve—but take your security awareness training beyond the inbox. Simulated phishing attacks are an excellent tool to assess vulnerability to specific lures and traps. They can also help raise awareness of email-based attacks. But individual phishing examples cannot teach users about the nuances of these threats.