Proofpoint used data from nearly 130 million responses submitted to its Security Education Platform from January 2018 through February 2019 to create its fourth annual "Beyond the Phish" report.
Proofpoint asked users questions across 14 subjects to assess their cybersecurity knowledge for use in the report. Those surveyed answered an average of 22 percent of the questions incorrectly. These incorrect answers show "the complexity of these topics and the nuances around phishing, around data protection, and around understanding of some compliance directives related to cybersecurity."
The report found that employees are weakest in the following areas:
- Identifying phishing threats;
- Protecting data throughout its lifecycle;
- Compliance-related cybersecurity directives;
- Protecting mobile devices and information;
- Mobile device encryption
- Securing personally identifiable information (PII);
- Technical safeguards in blocking social engineering attacks;
- Distinguishing public from private data; and
- Responding to a suspected physical security breach.
On the other hand, respondents did well on questions related to avoiding ransomware attacks; passwords and account authentication; unintentional and malicious insider threats; identifying potentially risky communication channels; physical security safeguards while traveling; recognizing ransomware and malicious pop-ups; and risks associated with Bluetooth pairing.
Another report, INKY's "2019 Special Phishing Report," found that cybercriminals are adopting more sophisticated phishing techniques, including brand forgery emails intended to harvest credentials; use of methods to bypass secure email gateways; and use of "hidden text" attacks that include invisible gibberish text that allows them to bypass e-mail cybersecurity protections. Kelly Sheridan "How to Catch a Phish: Where Employee Awareness Falls Short" darkreading.com (Jul. 11, 2019).
Employee negligence is the biggest data threat to employers. Negligence is prevented through training.
Employees should be trained on passwords, preventing malware, identifying phishing, preventing social engineering schemes, mobile device and wi-fi security, and more. The more training and the more frequent the training, the better.
Training should start on the first day with an orientation period and then a day or two on training to protect data.
Employers should keep cybersecurity concerns in front of their employees' minds by including daily or weekly new updates on new or developing risks and real-life cyberthreats. Only when cybersecurity is on an employee's mind as to every email communication, day in and day out, can your organization be best protected.