Site icon IT World Canada

Phishing training needs both broad and targeted approach, says report

Employees are one of the weakest points infosec pros have to deal with in preventing cyber attacks, particularly when it comes to resisting phishing.

Yet after years of attempts to raise security awareness many staffers still haven’t grasped some essentials if security vendor ProofPoints annual ‘State of the Phish’ report is accurate.

Consider these numbers in a global survey of 3,500 workers in seven sophisticated IT countries (the United States, Australia, France, Germany, Japan, Spain and the United Kingdom). Users were asked to define cybersecurity terms choosing from multiple choices:

Related:

Bulk of cyber budget should go to awareness training


The report also surveyed more than 600 IT security pros from the same seven countries. Of those whose firms offered simulated phishing attacks for testing awareness, 29 per cent of users opened the attachment or clicked on the link.

Cybersecurity awareness doesn’t stop at the office. It’s also vital staff continue to be aware at home.

Yet 61 per cent of the U.S. respondents said they allow friends and family to use their work devices. Only 31 per cent of respondents said they changed the default password on their Wi-Fi router, 19 per cent have checked and/or updated their Wi-Fi router’s firmware, 14 per said are unsure of how to implement Wi-Fi security measures and 11 per cent said they find Wi-Fi security measures too time-consuming and/or inconvenient to implement.

The report also surveyed more than 600 IT security pros from the same seven countries. Ninety-five per cent said their organization delivers phishing awareness training. And 78 per cent of organizations say their security awareness training resulted in measurably lower phishing susceptibility.

But nearly 30 per cent of respondents said they train just a portion of their employees.

“Targeted training is a critical part of cybersecurity education” the report’s authors comment, “but it works best when combined with a program that promotes organization-wide attention to best practices.”

Infosec pros may also be interested in a section of the report that details the kinds of phishing tests that were best at tricking employees. These had email subject lines like “Lost watch,” Lost ring,” “Updated Building Evacuation Plan,” and “Add me to your LinkedIn network.”

The report urges organizations to use a blend of broad and targeted education to raise awareness about phishing and offer staff actionable advice. To do that management has to build a culture of security, figure out who is being attacked and the types of attacks they face, and be ready to adapt if your threat climate changes.

Click here to read the full report. (Registration required)

Exit mobile version