Corporate users struggle to identify phishing attacks, other security threats

An audit of security awareness conducted by Proofpoint found that users on average answered 22% of security-related questions incorrectly.

What to include in an enterprise cybersecurity plan At RSA 2019, Steve Martino of Cisco discussed the top cybersecurity threats businesses are facing, and how to help employees improve their security posture.

Your organization may use the best software, hardware, and other resources to protect against phishing attacks, malware, ransomware, and other security threats. But all the defenses that guard your front gates can only do so much if your employees aren't also aware of and alert to the potential dangers from hackers and cybercriminals. Released on Wednesday, a report called Beyond the Phish revealed the results of an audit performed by Proofpoint, finding that employees were knowledgeable in certain areas of cybersecurity but lacking in other aspects.

Conducted between January 1 and February 28 of 2019, the audit questioned users across 16 different industries to gauge their awareness of phishing, ransomware, mobile device security, password hygiene, social media, and several other topics related to security. The data collected comprises almost 130 million questions answered by end users of Proofpoint's corporate customers.

SEE: 10 ways to raise your users' cybersecurity IQ (free PDF) (TechRepublic) 

On average, users answered 22% of the questions incorrectly. That's up slightly from 19% in 2018, though Proofpoint acknowledged that its assessments were tougher this year than they were last year. Among the top topics that elicited incorrect answers were Identifying Phishing Attacks, Protecting Data Through its Lifecycle, Compliance-related Cybersecurity Directives, Protecting Mobile Devices and Information, and Using the Internet Safely. Users offered fewer incorrect responses with such topics as Avoiding Ransomware Attacks, Passwords and Account Authentication, and Unintentional and Malicious Insider Threats.

Further, users struggled to answer questions in the following categories:

  • Mobile device encryption
  • Protections for personally identifiable information (PII)
  • The role of technical safeguards in preventing successful social engineering attacks
  • Distinctions between private data and public data
  • Actions to take following a suspected physical security breach

On the positive side, many users mastered the following topics:

  • How to identify potentially risky communication channels
  • Physical security safeguards while traveling
  • Recognition of cyber threats such as ransomware and malicious pop-up windows
  • Risks associated with Bluetooth pairing
  • Clean-desk best practices such as "lock before you walk"

Users' knowledge regarding security questions varied across different industries. The highest percentage of incorrect answers were discovered in education, transportation, energy, healthcare, and manufacturing. The highest percentage of correct answers came from finance, telecommunications, technology, insurance, and government. The report also offered specific examples based on industry.

With the topic of How to Avoid Ransomware Attacks, those in the insurance industry got only 8% of the questions wrong, compared to the Defense Industrial Base, which got 22% wrong. For the topic of Password and Account Authentication, users in the transportation industry fared best, answering only 7% of the questions wrong, versus the Professional Services industry, which got 18% wrong. And on the topic of Using Social Media Safely, the entertainment industry answered only 12% of the questions wrong compared with the Defense Industrial Base, which got 31% of them wrong.

Knowledge also varied by topic. Users in transportation ranked highest in three categories: Passwords and Account Authentication, Protecting Mobile Devices and Information, and Working Safely Outside the Office. But they were challenged to identify factors related to phishing attacks. People in education did well at identifying physical security and Internet-based threats but didn't perform well in such categories as Cybersecurity Concerns for Working Adults and Social Engineering and Related Scams.

To improve user understanding of security threats and issues, education is key, according to Proofpoint.

"Organizations must take a people-centric approach as well—and not just to stop external attacks," the report concluded. "Not all security incidents are solely the result of an attack; many arise from poor user security practices and a general lack of awareness. Treat email-based phishing threats with the care and attention they deserve—but take your security awareness training beyond the inbox. Simulated phishing attacks are an excellent tool to assess vulnerability to specific lures and traps. They can also help raise awareness of email-based attacks. But individual phishing examples cannot teach users about the nuances of these threats."

Also see

CYBER SECURITY Business, technology, internet and networking concept. Young businessman working on his laptop

Image: iStockphoto/juststock