Beyond the Phish Report Shows Need for Broader Employee Awareness and Training

Share with your network!



On September 1, we released our 2016 Beyond the Phish Report, a cybersecurity awareness analysis that shows major end-user knowledge gaps that pose significant risk to organizations across a range of vertical markets, including healthcare, telecoms, retail, and transportation.

The report reveals that many cybersecurity threats that are prevalent today — including oversharing on social media, unsafe use of WiFi, and company confidential data exposure — are not well-understood by end users. These activities are not only dangers in their own right, they are contributing factors to the ever-expanding phishing problem. 


20 Million Questions Asked and Answered

The Beyond the Phish Report includes data compiled from nearly 20 million questions asked and answered about nine relevant cybersecurity topics:

  • Using Social Media Safely
  • Protecting and Disposing of Data Securely
  • Identifying Phishing Threats
  • Protecting Confidential Information
  • Working Safely Outside the Office
  • Using the Internet Safely
  • Protecting Mobile Devices and Information
  • Protecting Against Physical Risks
  • Building Safe Passwords

We also surveyed hundreds of security professionals — customers and non-customers — about the security topics they assess on, and their confidence levels in their end users' abilities to make good security decisions. Key findings from the report show there is room for improvement in a number of areas:

Users, Organizations Are Lax About Social Media Safety

Safe use of social media was the biggest issue for end users; 31% of questions asked about this topic were missed. But organizations are partly to blame here, as only 55% of the infosec professionals we surveyed said they assess employee knowledge about this topic.

Nearly a Third of Users Struggle With Secure Data Handling

On average, end users across all industries missed 30% of questions related to proper data protections and secure data disposal. And while healthcare organizations are most likely to assess their employees’ ability to protect confidential information, 31% of questions about this topic were missed by users in this industry.

Remote Workers Need Better Training on Security Best Practices

With the rise in remote employees and end users who value the ability to work outside the office, organizations need to better educate end users who work remotely and those who travel regularly. Improper use of free WiFi, inattention to physical security, lax data protections, and the lack of security guidelines during travel led to 26% of questions missed by end users on this important topic.


More Attention to Threats Yields a Better Informed Employee Base

In reviewing the results from the Beyond the Phish Report, Derek Brink, CISSP, Vice President and Research Fellow, Aberdeen Group said, “We should all be thankful to Wombat Security for sharing empirical data from nearly 20 million actual end-user assessments! The findings here are clear — organizations that measure user knowledge on a variety of security topics are gaining valuable insights into the most important factors of security risk, which can focus their efforts to address it.

“Depth of data, combined with a continuous, metrics-based approach to end-user security education, results in a solid knowledge improvement program. In my own analysis, successfully changing user behaviors has helped Wombat customers reduce security-related risks by about 60%.”

While there is room for improvement in all risk areas, the report also highlights categories where employees have answered the highest percentage of questions correctly. Not surprisingly, these were topic areas that organizations were also highly likely to assess.

  • 90% of questions were answered correctly about building safe passwords.
  • 85% of questions were answered correctly on how to best protect against physical risks, such as ensuring no one follows you into a secure area or not leaving sensitive files on your desk.
  • 79% of organizations assess end users on internet safety, and 84% of the questions in this category were answered correctly.