Preview of the 2017 State of the Phish Report
Hawthorn gave attendees an advanced look at some of the findings from our third annual State of the Phish Report, which includes data analyzed from
- millions of simulated phishing attacks sent over 12 months;
- more than 500 survey responses to from our database of infosec professionals; and
- more than 2,000 answers from end users in the U.S .and UK, who were surveyed about their phishing knowledge and behaviors.
Hawthorn noted that the Wombat data indicates that simulated phishing and education activities are working; as programs mature, click rates show that anti-phishing training delivers measurable improvements over time. He also said that surveyed infosec professionals reported that phishing attacks appear to be tapering off some — but he cautioned that although awareness is improving, “Risky behaviors still exist.”
He also shared some key results from the end-user survey in the U.S. and the UK, which was managed by an independent third party:
- The majority of people know what phishing is in general terms, though users in the UK exhibited a higher awareness than those in the U.S. (72% vs. 65%).
- Less than half of end users were aware of what ransomware is (U.S.: 34%; UK: 38%).
- UK end users exhibit better corporate email hygiene than those in the U.S. Only 31% of UK respondents admitted to checking their personal email on work devices (compared to 50% in the U.S.), and just 29% of UK users said they check corporate email on their personal mobile devices (vs. 49% of U.S. users).
Hawthorn also shared some results from Wombat’s survey of infosec professionals, the current state of the ransomware threat, and a look at the kinds of phishing templates and topics that are being used most often (and the click rates for these types of simulated attacks).
The Red Thread: Education Is Critical to Long-Term Risk Reduction
All three presenters discussed the important role cybersecurity awareness and training programs play in combatting the phishing threat. Bernstein said, “Phishing defense is really a personnel management issue, not purely a technological trick. By far the best defense is training your people to recognize [phishing] and then practicing. You need to conduct training, and then practice it.”
Parker reinforced that by saying, “Phishing emails are starting to look really good. And there will always be malicious actors seeking to impersonate real people to get info out of your team members. You need to educate your staff how to recognize when they are being phished.”
Hawthorn spoke about the significant change he’s seen in the industry over time. In the 1990s, the focus was on networks, he said, and in the 2000s it was “all about application security and then it became about endpoint security.” But he sees much more importance placed on the end user now, saying, “I think we’re starting to get to the point where organizations are viewing their individual users as sources of risk, based on their behaviors and their access rights.” The attitudes related to security awareness training programs have shifted significantly, Hawthorn said, and organizations are starting to see the value in these activities.