2017 Beyond the Phish Report Reveals End-User Strengths, Weaknesses

Share with your network!


Infosec professionals who are seeking industry- and category-specific data points that illustrate business implications and highlight knowledge deficiencies in end-user cybersecurity knowledge, take note: our 2017 Beyond the Phish Report™ is now available for download.

This analysis represents more than 70 million questions asked and answered — a significant increase from 20 million in 2016 — across 10 categories within our CyberStrength® Knowledge Assessments as well as our interactive security awareness training modules. Our report examines strengths and weaknesses related to phishing threats, but also analyzes end-user knowledge beyond the phish. Within the Beyond the Phish Report, we explore employee understanding of business-critical cybersecurity best practices such as data protection measures, mobile device security, safe social sharing, password hygiene, and more. It’s important that organizations take the opportunity to evaluate knowledge across a range of topics, as poor cyber hygiene in these areas can compound the phishing threat and weaken security postures in general.

In speaking about this year’s report, Wombat President and CEO Joe Ferrara noted, “We continue to see in our year-over-year results that reinforcement and practice are critical to learning retention. As with any learned skill, organizations need to work on cybersecurity awareness and knowledge to see continual improvements. Organizations that focus on building a culture of security and empowering their employees to be a part of the solution develop the most sustainable and successful security awareness training programs.”

Areas for Improvement

Though there was a modest overall improvement in the rate of questions answered incorrectly compared to 2016 — a drop from 22% of questions answered incorrectly to 20% answered incorrectly — gains and losses in various categories generally offset one other. In addition to analyzing results by category level, we also looked at how various industries relate to one another on both general and category-specific levels. New within the 2017 report, we incorporated highlights from our User Risk Report to compare and contrast assessed knowledge levels against admitted end-user behaviors.

Key areas from the 2017 Beyond the Phish analysis that revealed room for improvement include the following:

  • With 26% of questions missed, the number one problem area for end users was protecting confidential payment card and healthcare information, which was also a top concern in 2016. Users struggled the most with questions around the use of shared login credentials.
  • We saw a significant downgrade in performance, year over year, in the category of protecting mobile devices and information. In particular, users struggling to understand the implications and ramifications of unsafe mobile applications and invasive permissions.
  • Employees in healthcare, transportation, and retail performed the lowest on average across all categories.
  • With GDPR looming, the need to safely manage personally identifiable information (PII) has been elevated. Unfortunately, our report revealed that end users across all industries answered a quarter of questions incorrectly around the protection and disposal of PII.
  • This year’s report is a bit of a cautionary tale for those organizations that assume knowledge levels are likely to remain consistent over time. For example, we saw that all but one industry performed worse in questions around using the internet safely, following positive numbers in 2016.

Areas of Improvement

While we can likely all agree that there is always room for improvement with regard to managing end-user risk, our 2017 Beyond the Phish Report did reveal categories and industries in which employees are improving year-over-year and have answered the highest percentage of questions correctly:

  • In 2016, phishing was the category that most organizations focused on from an assessment and training perspective — and that trend only increased in 2017. The good news is that the focus seems to be paying off: All industries saw an improvement over 2016 in questions around identifying phishing attacks. The rate of incorrectly answered questions was 24% on average in 2017, compared to 28% on average in 2016.
  • We saw the largest year-over-year improvement around the understanding of social media best practices, which is good news considering the proliferation of social networking among all age groups.
  • We also saw a significant improvement with questions related to working safely outside the office. This is heartening news, particularly for organizations with a large number of remote workers. In fact, a recent Gallup study indicated that 43% of employees work remotely at least part of the time.
  • A new category carved out in this year’s data focused on protections against scams, which focused on social engineering techniques that are applied across a range of attack vectors, including email, SMS/text messages, phone calls, and even in-person attacks. On average, end-users performed well in the new category, which is good news for organizations that are increasingly experiencing social engineering attacks.
  • As in 2016, the best understood category for end-users focused on password safety, in which only 12% of answers were answered incorrectly in 2017. A caveat to this, however, is seen in the results from our User Risk Report, which showed that users are still likely to use the same one or two passwords across a range of online accounts. It can be inferred from these studies that, even though users know the right answers, they sometimes fail to apply best practices in situations that seem too difficult or challenging.

Ultimately, our 2017 Beyond the Phish Report shows the need to continuously assess and train employees about cybersecurity threats. Infosec teams cannot assume that knowledge is a constant; like any skill, cybersecurity expertise needs to develop over time, and users need the opportunity to practice and grow their abilities. An hour of training, once a year, is not the way to move the dial on behavior change, nor can any one tool serve as a silver bullet to knowledge enhancement. It is a combination of phishing tests; question-based knowledge assessments; interactive training; reinforcement techniques and tools; and gathering of metrics and business intelligence that will give your security awareness and training program the best shot at success.

As always, we remain poised to be the partner that can help you move the dial and deliver measurable behavior change within your organization.