Employees are one of the weakest points infosec pros have to deal with in preventing cyber attacks, particularly when it comes to resisting phishing.
Yet after years of attempts to raise security awareness many staffers still haven’t grasped some essentials if security vendor ProofPoints annual ‘State of the Phish’ report is accurate.
Consider these numbers in a global survey of 3,500 workers in seven sophisticated IT countries (the United States, Australia, France, Germany, Japan, Spain and the United Kingdom). Users were asked to define cybersecurity terms choosing from multiple choices:
- only 61 per cent accurately defined phishing (only 49 per cent in the U.S.)
- only 31 per cent accurately defined ransomware (and that was down from 45 per cent the year before)
- 66 per cent accurately defined malware (but nearly 30 per cent of U.S. respondents thought malware was a type of hardware that boosts Wi-Fi signals)
- only 30 per cent chose the right definition of smishing
- only 25 per cent chose the right definition of vishing (but that was up from 18 per cent in the last survey)
- 26 per cent of respondents believe they can safely connect to Wi-Fi in coffee shops and airports
- half think that their IT teams will be automatically notified if they accidentally install a virus or other malicious software on their work computer.
- 29 per cent said they rotate between five and 10 different passwords among all their credentials. Another 16 per cent said they use the same one or two passwords for all their accounts.
Bulk of cyber budget should go to awareness training
The report also surveyed more than 600 IT security pros from the same seven countries. Of those whose firms offered simulated phishing attacks for testing awareness, 29 per cent of users opened the attachment or clicked on the link.
Cybersecurity awareness doesn’t stop at the office. It’s also vital staff continue to be aware at home.
Yet 61 per cent of the U.S. respondents said they allow friends and family to use their work devices. Only 31 per cent of respondents said they changed the default password on their Wi-Fi router, 19 per cent have checked and/or updated their Wi-Fi router’s firmware, 14 per said are unsure of how to implement Wi-Fi security measures and 11 per cent said they find Wi-Fi security measures too time-consuming and/or inconvenient to implement.
The report also surveyed more than 600 IT security pros from the same seven countries. Ninety-five per cent said their organization delivers phishing awareness training. And 78 per cent of organizations say their security awareness training resulted in measurably lower phishing susceptibility.
But nearly 30 per cent of respondents said they train just a portion of their employees.
“Targeted training is a critical part of cybersecurity education” the report’s authors comment, “but it works best when combined with a program that promotes organization-wide attention to best practices.”
Infosec pros may also be interested in a section of the report that details the kinds of phishing tests that were best at tricking employees. These had email subject lines like “Lost watch,” Lost ring,” “Updated Building Evacuation Plan,” and “Add me to your LinkedIn network.”
The report urges organizations to use a blend of broad and targeted education to raise awareness about phishing and offer staff actionable advice. To do that management has to build a culture of security, figure out who is being attacked and the types of attacks they face, and be ready to adapt if your threat climate changes.
Click here to read the full report. (Registration required)