Employees Practically Chum the Waters for Phish

Here phishy phishy phishy…said no enterprise ever. Officially, that is.

The reality is that oblivious employees are practically chumming the water with social-engineering gullibility.

Wombat Security Technologies’ Beyond the Phish Report undertook the analysis of nearly 20 million questions and answers geared to determine how well end users understand security threats. Apart from being immediately struck by what staggering fun that endeavor sounds, what stands out the most here is the fact that in most categories, respondents missed about a third of the questions.

That translates to about a C- in school terms. Yeesh.

The report reveals the many cybersecurity threats that are prevalent today, such as oversharing on social media, unsafe use of Wi-Fi, and company confidential data exposure, are contributing factors to the ever-growing problem of phishing.

In the last year, the number of organizations that reported being a victim of phishing has increased 13%, and 60% of enterprises said the rate of phishing attacks has increased overall. Some industries fare worse than others: Healthcare workers for instance had a 13% click-through rate on simulated phishing mails.

Perhaps unsurprisingly, the No. 1 problem area for end users, with 31% of questions missed, is safe social media use. All of that tweeting and liking and reposting and sharing increasingly takes the place of real human interaction, but the consequences go far beyond turning us into socially anxiety-prone shut-ins.

For instance, when asked, “what is your confidence level that your employees know not to post pictures or locations on social media that could be harmful to your organization’s security?” a full 38% of respondents said, “not very.” Only a third said they were confident.

It might seem obvious to us in the security biz that socializing company details, email addresses, internal tidbits of information and so on gives cyber-criminals the building blocks that they need to craft up believable, targeted mails—including whaling mails; but clearly the average worker doesn’t really get that.

"Clearly, phishing is a focus area across the industry, but the efforts can't stop there," said Joe Ferrara, president and CEO of Wombat. "To reduce cyber-risk in organizations, security education programs must teach and assess end users across many topic areas, like oversharing on social media and proper data handling. Many of these risky behaviors exacerbate the phishing problem."

End users also missed 30% of questions about protecting and disposing of data securely, second only to safe social media use.

Furthermore, with the rise in remote working and end users who value the ability to work outside of the office, organizations need to educate their employees on how to stay safe out there. Improper use of free Wi-Fi, inattention to physical security, lax data protections and the lack of security guidelines during travel led to 26% of questions missed by end users on this important topic.

It's not all bad news: 90% of questions were answered correctly about building safe passwords (alarmingly though, professional services and healthcare employees performed the lowest on the nearly 1 million questions asked about this); and 85% of questions were answered correctly on how to best protect against physical risks, such as ensuring no one follows you into a secure area or not leaving sensitive files on one’s desk.

But still. To keep the phishing phrenzy at bay, clearly workers need to get some savvy on basic cybersecurity best practices.

Photo © sabza

What’s Hot on Infosecurity Magazine?