Wombat Security s Beyond the Phish. Report. security technologies. #BeyondthePhish

Similar documents
Wombat Security s Report. #BeyondthePhish

2015 ISACA IT Risk/Reward Barometer US Consumer Results. October 2015

2015 ISACA IT Risk/Reward Barometer UK Consumer Results. October

2015 ISACA IT Risk/Reward Barometer Australia Consumer Results. October

Everything you need to know

Optimism and Ethics An AI Reality Check

Insight: Measuring Manhattan s Creative Workforce. Spring 2017

DIGITAL ECONOMY BUSINESS SURVEY 2017

Worker Safety More Than Just a Radio

Hong Kong Personal Data Protection Regulatory Framework From Compliance to Accountability

Fujitsu Technology and Service Vision Copyright 2014 FUJITSU LIMITED

The little BIG book of badness

The Impact of Niches on Freelancer Earnings and Client Quality. By Ed Gandia

Puppet State of DevOps Market Segmentation Report. Contents

SPECIAL REPORT. The Smart Home Gender Gap. What it is and how to bridge it

Privacy and the EU GDPR US and UK Privacy Professionals

Shopper Q & A. Guide for FuturePay Retailers. Table of Contents. General FAQs. Using FuturePay. Account Information. Purchasing and Disputes

The digital journey 2025 and beyond

CEOCFO Magazine. Pat Patterson, CPT President and Founder. Agilis Consulting Group, LLC

Interactive Game Design with Alice Bit by Bit: Advancing Cyber Security

MIDAS Measurement of Internet Delivered Audio Services

Table of content. 1. How do I access RBSelectOnline? 2. I m new, how do I login? 3. I ve used RBSelectOnline before how do I re-set my password?

HOW TO CHOOSE The Right College For You.

2013 IT Risk/Reward Barometer: Asia-Pacific Results. October Unless otherwise noted, n = 343

THE STATE OF UC ADOPTION

PharmaCollegē New Player Guide

Building a Village With Safety Networks

Good vs. Evil: AI And Machine Learning In The Real World

Security services play a key role in digital transformation for higher education

INDUSTRY 4.0. Modern massive Data Analysis for Industry 4.0 Industry 4.0 at VŠB-TUO

Special Eurobarometer 460. Summary. Attitudes towards the impact of digitisation and automation on daily life

Guidelines for the Stage of Implementation - Self-Assessment Activity

SUSTAINABILITY MATERIALITY OVERVIEW

HOW TO MAKE MONEY FREELANCE WRITING

DON T JUST SURVIVE, THRIVE. Non-profit views on the role of digital now and in the future. Non-profits and digital: Don t just survive, thrive 1

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

Webinar Module Eight: Companion Guide Putting Referrals Into Action

The Citizen View of Government Digital Transformation 2017 Findings

Duplication and/or selling of the i-safe copyrighted materials, or any other form of unauthorized use of this material, is against the law.

Secure your information. Protect your view.

Online Browser Streaming and Mobile-App Instructions

Women in Software and Cybersecurity: Dr. Lorrie Cranor

CYBER SECURITY GUIDELINES FOR COMPUTER BASED GAMING APPLICATIONS

Overview of INAZUMA Certified Systems for our Business Partners

Microsoft Trustworthy Computing 2013 Privacy Survey Results

ISACA Privacy Principles and Program Management Guide. Yves LE ROUX CISM, CISSP ISACA Privacy TF Chairman. Insert Date Here

5 False Beliefs That Hurt Client Retention for Hair Salons

DocuSign for ios: For Field Sales & Field Services

Browser Streaming and Mobile-App Instructions for ios and Android tm

Privacy Values and Privacy by Design Annie I. Antón

Understanding Computers in a Changing Society

Using Google Analytics to Make Better Decisions

Plan Peoria AZ 2040 General Plan Update. Public Workshop #2: Presentation June 5, 2017

STUDENT USER S MANUAL

USING ACX TO PRODUCE AN AUDIOBOOK. M.L. Humphrey

Book Sourcing Case Study #1 Trash cash : The interview

Personal Data Protection Competency Framework for School Students. Intended to help Educators

6 Essential Freelancer Interview Questions

MOTOROLA SOLUTIONS 2017 K-12 EDUCATION INDUSTRY SURVEY REPORT SURVEY REPORT 2017 SCHOOL COMMUNICATIONS

WHAT CLICKS? THE MUSEUM DIRECTORY

How technology is reshaping South Africa s small business economy. A report produced by Xero in partnership with World Wide Worx

MIDAS Measurement of Internet Delivered Audio Services

Frequently Asked Questions

ITEC107 Introduction to Computing for Pharmacy

The Tri-State Transit Authority

Healthcare Solutions

Introduction. Data Source

Instructions. Section I What to do after you have signed-up? Section II Waive Your Fees Manual. Section III Benefits Manual

RAJAR Midas Audio Survey MIDAS Summer MIDAS Measurement of Internet Delivered Audio Services

INTERNET AND SOCIETY: A PRELIMINARY REPORT

The Podcasting Data Kit Audience Insights & Trends

DIGITAL TRANSFORMATION LESSONS LEARNED FROM EARLY INITIATIVES

Printing Intelligence Report. NT-ware - 1 July 2012 to 31 December SAMPLE -

Embracing a Digital Future Vanson Bourne research findings & benchmark methodology

HOW FRANCHISORS AND FRANCHISEES CAN LEVERAGE TECHNOLOGY TO ACHIEVE OPERATIONAL EXCELLENCE WHITE PAPER

RAJAR Midas Audio Survey MIDAS Winter MIDAS Measurement of Internet Delivered Audio Services

ARE TRUST & IDENTITY HOLDING BACK FURTHER GROWTH OF THE SHARING ECONOMY?

Media & Entertainment. Shaping tomorrow with you

WANT TO PARTICIPATE IN RESEARCH? THERE S AN APP FOR THAT!

Serial No.: MTYxOTAwMDAxMzAw

Gender pay gap reporting tight for time

Comparison ibeacon VS Smart Antenna

BATTELLE AND THE SMART CITY. Turning vision into reality for tomorrow s urban environments.

Press Contact: Tom Webster. The Heavy Radio Listeners Report

Highlights from the Vaccine Safety Net meeting

NAVIGATION INSTRUCTIONS ««STEP 1»» Go to and log in using your registered username and password. Note: If you are uncertain about

RISE OF THE HUDDLE SPACE

Lesson 2: What is the Mary Kay Way?

Intel Research: Global Innovation Barometer

ASEAN: A Growth Centre in the Global Economy

PRELIMINARY AGENDA. Europe s Largest Global Lending and Fintech Event October, 2017 InterContinental London The O2

COBB COUNTY SCHOOL DISTRICT LANGUAGE ARTS GRADE 6 BENCHMARK

Security Education: The Challenge beyond the Classroom

Article. The Internet: A New Collection Method for the Census. by Anne-Marie Côté, Danielle Laroche

The new deal of data in the data-driven person centric-care

MIDAS Measurement of Internet Delivered Audio Services

2017 CONSULTING COMMUNITY SURVEY FINDINGS

Split Testing 101 By George M. Brown

WORKBOOK. 1 Page Marketing Plan

+ NEMT in Colorado. 8/31/17 Woodland Park, CO Jon Walker Transportation Policy Manager

Transcription:

Wombat Security s 2016 Beyond the Phish Report security technologies #BeyondthePhish

Beyond the Phish As our State of the Phish Report reinforced earlier this year phishing is still a large and growing problem for organizations of all sizes. And as pioneers in the use of simulated phishing attacks, we strongly recommend organizations make anti-phishing education the foundation of their security awareness and training programs. However, we also recommend that they think beyond the phish to assess and educate their end users about the many other cybersecurity threats that are prevalent (and emerging) in today s marketplace. Risky behaviors like lax data protection, oversharing on social media, and improper use of WiFi are all dangers in their own right and could be considered contributing factors to the ever-growing phishing problem. In this report we will take a look at the answers to nearly 20 million questions asked and answered around nine different topics in our Security Education Platform over the past two years to understand what areas end users still struggle with and what areas they are doing better in. We also surveyed hundreds of security professionals customers and non-customers about what security topics they assess on, and their confidence levels in their end users' abilities to make good security decisions. While not a scientific study, this report offers a look at these two sets of data and shows the importance of assessing and educating beyond the phish. We should all be thankful to Wombat Security for sharing empirical data from nearly 20M actual end-user assessments! The findings here are clear organizations that measure user knowledge on a variety of security topics are gaining valuable insights into the most important factors of security risk, which can focus their efforts to address it. Depth of data, combined with a continuous, metrics-based approach to end-user security education, results in a solid knowledge improvement program. In my own analysis, successfully changing user behaviors have helped Wombat customers reduce security-related risks by about 60%. Derek Brink, CISSP, Vice President and Research Fellow, Aberdeen Group #BeyondthePhish 2016 / 1 www.wombatsecurity.com

Who Participated in the Survey? ABOUT HOW MANY EMPLOYEES WORK AT YOUR ORGANIZATION? 0-1,000 1,001-5,000 5,001-20,000 52% 26% 11% 20,001-50,000 5% Above 50,000 6% WHAT INDUSTRY DOES YOUR ORGANIZATION BELONG TO? 20% 20% 15% 10% 5% 0% 13% 11% 9% 9% 8% FINANCE TECHNOLOGY HEALTHCARE OTHER PROFESSIONAL SERVICES MANUFACTURING EDUCATION 7% 6% 4% 4% 3% 2% INSURANCE ENERGY RETAIL GOVERNMENT CONSUMER GOODS 1% 1% 1% 1% ENTERTAINMENT TELECOMMUNICATIONS TRANSPORTATION HOSPITALITY www.wombatsecurity.com 2 / 2016 #BeyondthePhish

What Do Organizations Assess On? We were curious what areas (other than phishing) organizations assess, and how they match up to the areas we see users struggle with (more than one answer allowed.) WHAT ORGANIZATIONS ARE ASSESSING: USING THE INTERNET SAFELY 79% PROTECTING CONFIDENTIAL INFORMATION 78% BUILDING SAFE PASSWORDS 68% USING SOCIAL MEDIA SAFELY 55% PROTECTING MOBILE DEVICES AND INFORMATION 52% PROTECTING AND DISPOSING OF DATA SECURELY 51% PROTECTING AGAINST PHYSICAL RISKS 51% WORKING SAFELY OUTSIDE THE OFFICE 50% 0% 10% 20% 30% 40% 50% 60% 70% 80% % OF ORGANIZATIONS Progress is being made. Using the Internet Safely is the topic that most organizations reported that they assess, and it was one of the topics in which end users performed better. #BeyondthePhish 2016 / 3 www.wombatsecurity.com

How Are End Users Doing? 20 million ASKED AND ANSWERED We took a look at approximately 20 million questions asked and answered over the past 2 years. There are some areas that end users continue to struggle in, and some where we are starting to see progress. USING THE INTERNET SAFELY 16% PROTECTING CONFIDENTIAL INFORMATION 27% BUILDING SAFE PASSWORDS 10% USING SOCIAL MEDIA SAFELY 31% PROTECTING MOBILE DEVICES AND INFORMATION 15% PROTECTING AND DISPOSING OF DATA SECURELY 30% PROTECTING AGAINST PHYSICAL RISKS 15% WORKING SAFELY OUTSIDE THE OFFICE 26% IDENTIFYING PHISHING THREATS 28% 0% 5% 10% 15% 20% 25% 30% 35% % www.wombatsecurity.com 4 / 2016 #BeyondthePhish

31% Using Social Media Safely Social Media plays a big part in our lives but end users struggled here the most, missing 31% of the questions we asked them around what they should and shouldn t do to keep themselves and their organizations safe. ONLY 55% ASSESS ON USING SOCIAL MEDIA SAFELY What s more, in our survey of security professionals we found that only about half are assessing users around this topic. Most companies allow social media access on work devices while admitting they are not very confident that their employees know what to do to keep their organization safe. - YET - 76% ALLOW ACCESS ON WORK DEVICES 29% 38% What is your confidence level that your employees know not to post pictures or locations on social media that could be harmful to your organization s security? 33% WE'RE NOT VERY CONFIDENT WE'RE NEUTRAL WE'RE CONFIDENT INDUSTRIES THAT STRUGGLE THE MOST: What does this mean? While more than 75% of the working population is using social media, organizations are not regularly advising employees about best practices. Since many are not assessing on this topic and measuring knowledge, they do not know how large of a problem they have and are just hoping for the best. Hope is not a strategy. Continuous assessment and training is a systematic approach to address the problem. TELECOMMUNICATIONS 38% EDUCATION 36% RETAIL 34% % 0% 10% 20% 30% 40% #BeyondthePhish 2016 / 5 www.wombatsecurity.com

Protecting and Disposing of Data Securely 30% This category covers the lifecycle of data, from creation to disposal, and covers topics about handling PII (Personally Identifiable Information) on a more general level. Questions in this category covered topics such as using USBs, deleting files from hard drives, and securing work devices and nearly 30% of the questions we asked on this topic were missed. This puts all of us in danger, and while some industries have done worse than others, none of them did very well considering their interaction with some of our most valuable information. According to our industry survey, only a little more than half are assessing around this topic at all. INDUSTRIES THAT STRUGGLE THE MOST: 40% 35% 37% 30% 34% 33% 31% 31% 31% 31% 30% 30% % 25% 20% 15% 28% 26% 26% 26% 25% 24% 24% 10% 5% 0% RETAIL TRANSPORTATION TECHNOLOGY EDUCATION MANUFACTURING ENERGY TELECOMMUNICATIONS FINANCE INSURANCE GOVERNMENT HEALTHCARE ENTERTAINMENT PROFESSIONAL SERVICES HOSPITALITY DEFENSE INDUSTRIAL BASE CONSUMER GOODS www.wombatsecurity.com 6 / 2016 #BeyondthePhish

28% Identifying Phishing Threats Check out our State of the Phish Report for more data about phishing attacks. info.wombatsecurity.com/ state-of-the-phish State of the Phish 2016 TIP! When organizations focus on reducing successful phishing attacks, they often think only about using phishing simulations. When our founders published the research that gave birth to the use of mock attacks, their vision extended beyond click/no-click assessments their focus was on intervention and training that would change behavior and reduce end-user risk. But they knew simulated phishing emails and just-in-time training couldn t do that alone. From that, Wombat Security was born, along with a portfolio of products that allow organizations to not only assess vulnerability through simulated attacks, but also evaluate and improve understanding via knowledge assessments and interactive training. When we look at these two types of phishing assessments side by side simulated attacks vs. question-based evaluations the results prove the need for both approaches: * Click rate data is from our 2016 State of the Phish Report. HEALTHCARE 13% CLICK RATE * ON SIMULATED PHISHING ATTACKS VS. 31% IN ASSESSMENTS MANUFACTURING & ENERGY 9% CLICK RATE * ON SIMULATED PHISHING ATTACKS VS. 29% IN ASSESSMENTS Simulated phishing is a great tool, but it only provides a click/no-click measurement and you simply can t be sure why users didn t respond to a particular mock phish. Was it because they knew better? Or was it because the message wasn t relevant to them, or because they didn t see it in their inbox? Reviewing data from simulated attacks and knowledge assessment results provides a clearer picture of employee competency with regard to recognizing and avoiding phishing attacks. #BeyondthePhish 2016 / 7 www.wombatsecurity.com

Protecting Confidential Information 27% Questions asked on this topic relate specifically to standards compliance in both PCI DSS and HIPAA. Just like the topic of Protecting and Disposing of Data Securely, many industries struggled with securing sensitive financial and medical information. Healthcare workers missed the most questions 5 percentage points worse than average. From our survey results, this is one of the top two topics that security teams are assessing on, and it should remain a top priority. INDUSTRIES THAT STRUGGLE THE MOST: 35% FACT! What was one of the most missed questions asked around this topic? Is it safe for a call center employee to write a customer s credit card number down in a personal notebook for later processing? (The answer is NO!) 30% 32% % 25% 20% 15% 10% 5% 0% 30% 29% 29% 28% 28% 27% 26% 24% 23% 23% 22% 22% 21% 21% HEALTHCARE TELECOMMUNICATIONS DEFENSE INDUSTRIAL BASE PROFESSIONAL SERVICES EDUCATION TRANSPORTATION MANUFACTURING ENERGY TECHNOLOGY GOVERNMENT RETAIL FINANCE CONSUMER GOODS INSURANCE ENTERTAINMENT www.wombatsecurity.com 8 / 2016 #BeyondthePhish

26% Working Safely Outside the Office The number of end users who want to connect to work anytime from anywhere is only going to increase. Organizations will need to keep educating their employees on how to stay safe on the road. FACT! Today, working outside of the office is very common. Whether traveling for work or working from home or a local coffee shop -- there are a lot of things to consider to keep data, networks, and equipment safe. We were surprised that only 50% of companies are assessing around this very important topic. Our data shows that 26% of questions have been missed on topics ranged from safe use of WiFi to practical physical security. No industry did great, but there are three that did worse than others: CONSUMER GOODS 29% TRANSPORTATION 28% INSURANCE 27% With so few organizations assessing employees about their telecommuting habits, we assumed confidence in end-user knowledge would run high. But that's not the case, even with something as basic as proper use of open-access WiFi networks. Still, it's not terribly surprising given that more than half of those surveyed do not provide guidelines for employees to follow while traveling. How confident are you that employees don t connect to public WiFi networks without a protected connection such as a VPN? 52% NOT VERY CONFIDENT 32% NEUTRAL 17% CONFIDENT Do you have a security policy/guideline for employees to follow while traveling? 56% YES 44% NO 56% #BeyondthePhish 2016 / 9 www.wombatsecurity.com 44%

Using the Internet Safely 84% CORRECT 16% According to our survey, using the internet safely is the topic security professionals are assessing around the most with 79% reporting it as part of their security education program. It seems to be paying off, with end users getting 84% of the questions in this area correct. Malware and virus downloads are often done by end users who do not know how to spot dangerous URLs. While most industries were doing well on this topic, a few still struggled more than others missed more than our average of 16% questions missed: TRANSPORTATION 22% RETAIL 20% HEALTH CARE 18% What is your confidence level that employees understand safe practices for browsing the internet (such as logging out of web apps before closing, etc)? 31% NOT VERY CONFIDENT 52% NEUTRAL 17% CONFIDENT Just because there is progress, that doesn't mean that organizations should assess any less around the topic continuous training keeps best practices top of mind for end users, especially on a topic that has become as second nature as browsing the internet. www.wombatsecurity.com 10 / 2016 #BeyondthePhish

15% 85% CORRECT Protecting Mobile Devices and Information ACCORDING TO PEW RESEARCH, AS OF OCTOBER 2015 86% OF THOSE AGED 18-29 HAVE A SMARTPHONE Recent data from Pew Research (see left) indicates how important mobile devices have become. The good news from our data is that this is one of the better understood topics, with 85% of the questions being answered correctly (even though only 52% of organizations are assessing around it). However, some industries did a bit worse than the average of 15% questions missed: INDUSTRIES THAT STRUGGLE THE MOST: 83% OF THOSE AGED 30-49 HAVE A SMARTPHONE CONSUMER GOODS HEALTHCARE 26% 25% Many of the most missed questions on this topic were around the area of Bluetooth connectivity. Most people did not realize that they can leave personal information behind on devices they have paired with, such as a rental car. FACT! FINANCE 0% 10% % OF 18% Does your organization provide mobile/byod device programs that allow network access? 20% 30% 67% YES 33% NO As technology changes and new threats develop, organizations and end users need to remain vigilant and up to date on how to stay safe. #BeyondthePhish 2016 / 11 www.wombatsecurity.com

Protecting Against Physical Risks 85% CORRECT 15% Physical security often seems like common sense making sure no one follows you through a locked door into a secure area, not leaving sensitive files on your desk unattended and it seems that most people are understanding the concepts presented, with 85% of the questions asked being answered correctly. Still, only 51% of organizations are assessing around this topic, so there is room for improvement there. Of concern, we saw end users in critical infrastructure industries falling a bit above the average of 15% questions missed, which is alarming given the potential impact of a physical breach in these types of organizations. INDUSTRIES THAT STRUGGLE THE MOST: TELECOMMUNICATIONS TRANSPORTATION 21% 21% TIP! Our data shows that end users often struggle with questions related to securing their devices while in the office. We tend to take safety for granted within our own office environments, but insider threats are a real thing. Employees should be taught simple security practices such as locking their computer screens when leaving their work stations and locking laptops and other portable devices in a secure drawer or cabinet when leaving for the night. MANUFACTURING 21% 0% 10% 20% 30% % OF» ONLY 51% OF ORGANIZATIONS ASSESS THEIR END USERS ON THIS VERY IMPORTANT SECURITY TOPIC. www.wombatsecurity.com 12 / 2016 #BeyondthePhish

10% 90% CORRECT Building Safe Passwords We often hear a lot about passwords, but from our data on nearly 1 million questions asked around this topic, end users performed best with only 10% of the questions being missed. It is also one of the top three areas with 68% of security professionals assessing. MOST IN THIS AREA WERE RELATED TO USE OF PERSONAL INFORMATION LIKE BIRTH DATES OR WEDDING DATES WHEN CREATING PASSWORDS. While most industries did very well on this topic area, two struggled far more than the average (see below). But in our survey, professionals from all industries indicated that they are proactive about password-related policies and technologies. PROFESSIONAL SERVICES 79% HEALTHCARE 83% 18% 82% Do you enforce strong password policies (require a change at least every 60 days, special characters, a certain length, etc.)? 82% YES 18% NO Do you use two-factor authentication? 60% YES 40% NO No solution on its own is a silver bullet, a defense-in-depth strategy is best with both technical and end-user focused safeguards working together to keep your organization safe. #BeyondthePhish 2016 / 13 www.wombatsecurity.com

Measurement Is the Key to Success It has been said before, and we will say it again measurement is the key to success. The first step in a successful security awareness and training program is assessing employee knowledge... in other words, measurement. If you begin with measurement, then you know what topic areas to focus on and have a baseline to measure your success against going forward. Without measurement, you have no way to better understand your threats or the progress you are making with your program. We asked two questions regarding measurement in our industry survey. Maybe not surprisingly, there was a difference between our customers and non-customers in the results, with Wombat customers significantly more likely to measure the effectiveness of their training and to follow initial assessments with training. Do you measure the effectiveness of training? Wombat Customers 70% YES Non-Customers 28% YES 30% NO 72% NO Do you follow initial assessments with training? Wombat Customers 75% YES Non-Customers 54% YES 25% NO 46% NO TIP! "In Aberdeen s research which includes 29 independent benchmark studies, involving more than 3,500 organizations, completed over a 5-year period the leading performers were 70% more likely than the lagging performers to have invested in security awareness and training for their end-users. The 2016 Beyond the Phish report confirms not only that Wombat s customers are focused on measuring training effectiveness, but also that they are making progress in improving end-user knowledge across several key dimensions." - Derek Brink, Aberdeen Research Read the Aberdeen Group report, The Last Mile in IT Security: Changing User Behavior. www.wombatsecurity.com 14 / 2016 #BeyondthePhish

About Wombat Security Wombat Security Technologies, headquartered in Pittsburgh, PA, provides information security awareness and training software to help organizations teach their employees secure behavior. Our Security Education Platform includes integrated knowledge assessments, simulated attacks, and libraries of interactive training modules and reinforcement materials. Wombat was born from research at the world-renowned Carnegie Mellon University, where its co-founders are faculty members at the CMU School of Computer Science, and in 2008 they led the largest national research project on combating phishing attacks, with a goal to address the human element of cyber security and develop novel, more effective antiphishing solutions. These technologies and research provided the foundation for Wombat s Security Education Platform and it s unique Continuous Training Methodology. The methodology, comprised of a continuous cycle of assessment, education, reinforcement, and measurement, has been show to deliver up to a 90% reduction in successful phishing attacks and malware infections. ASSESS MEASURE EDUCATE REINFORCE wombatsecurity.com info@wombatsecurity.com 412.621.1484 UK +44 (20) 3807 3472 #BeyondthePhish 2008-2016 Wombat Security Technologies, Inc. All rights reserved.

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback