‘Beyond the Phish’ Report Examines End-User Cybersecurity Knowledge

Share with your network!

We’re excited to announce the launch of the 2019 Beyond the Phish report, our fourth-annual look at the cybersecurity knowledge levels of our customers’ end users. This year’s report features analysis of data related to nearly 130 million cybersecurity questions and offers insights into employee knowledge levels across 14 categories, 16 industries, and more than 20 commonly used department classifications.

Key findings of this security awareness training study include the following:

  • Overall, one in every four questions in the “Identifying Phishing Threats” and “Protecting Data Throughout Its Lifecycle” categories were answered incorrectly.
  • Communications was the best performing department, with end users correctly answering 84 percent of questions.
  • Finance was the best performing industry, with end users answering 80 percent of all questions correctly.
  • Customer Service, Facilities, and Security were among the worst performing departments, with end users incorrectly answering an average of 25 percent of cybersecurity questions asked.[1]
  • End users in the education and transportation industries struggled the most, on average, answering 24 percent of questions incorrectly across all categories.
  • End users in the insurance industry delivered the best performance in three of the 14 categories analyzed, specifically excelling in the “Avoiding Ransomware Attacks” category.
  • Hospitality employees scored the lowest in three categories, including “Physical Security Risks,” in which 22 percent of questions were answered incorrectly.

Why We Go ‘Beyond the Phish’

Phishing remains a leading concern for organizations worldwide. As we revealed in our 2019 State of the Phish report, 83 percent of global organizations experienced phishing attacks in 2018, underscoring the urgent need to educate end users.

Still, email-based attacks themselves are not the sole source of an organizations’ end-user risk. For example:

  • Lax social media habits can expose important details that cybercriminals can leverage to create and launch a variety of targeted and believable social attacks, including phishing, vishing (voice phishing), smishing (SMS/text phishing), and business email compromise (BEC) campaigns.
  • Careless data management and physical security practices can lead to breaches and loss or theft of confidential or proprietary information.
  • Poor password habits can lead to credential compromise and give attackers access to organizational systems and data.
  • Lack of awareness can turn employees into unintentional insider threats.

Many organizations are relying on simulated phishing attacks and/or infrequent training exercises to assess end users’ vulnerabilities and teach good cybersecurity practices. Cybercriminals have broadened their approach to end-user attacks, so a narrow focus on certain components of cyber hygiene is not enough to fully prepare users to identify and change the behaviors that can compromise security at work and within their personal lives.

“Organizations need to be persistent and thorough in their security awareness training programs, considering the end-user behaviors that influence and impact overall security postures. This annual report reiterates the need to go beyond the use of phishing tests to evaluate end-user susceptibility and cyber threat knowledge,” said Amy Baker, vice president of Security Awareness Training Strategy and Development for Proofpoint.

“It’s important to remember that not all security incidents stem from an attack; many issues result from limited awareness and poor security practices. Our research has shown a significant increase in safe behaviors when organizations take a well-managed, continuous approach to training across all cyber topics.”

Download Your Copy of the Report

Companies worldwide trust Proofpoint to educate their employees on the latest cyber threats and best practices. Effective education is imperative as cybercriminals have shifted away from attacking infrastructure and are targeting individuals, making a people-centric security approach essential.

To download the 2019 Beyond the Phish report, and see a full list of category, department and industry comparisons, please visit: https://www.proofpoint.com/us/resources/threat-reports/beyond-phish. To learn more about the findings, register for our August 28 SecureWorld webinar, “Beyond the Phish: A Snapshot of End-User Behavior.” Content will be accessible live or on demand, and CPE credits will be available.


[1] Department designations are respondent-defined. For example, the Security department could include both physical security and cybersecurity.