The latest Beyond the Phish Report from Wombat Security Technologies has shown employees are getting better at identifying phishing emails, and investment in security awareness training is paying off.
Last year’s report included an analysis of responses to a Q&A conducted on employees which assessed security awareness and susceptibility to phishing attacks. In 2016, more than 20 million answers were analyzed, with this year’s sample increasing to more than 70 million Q&As.
In 2016, 28% of employees failed to recognize phishing emails. This year’s analysis saw the number of employees that failed to identify phishing emails fall to 24%.
While it is certainly good news that security awareness is improving, there is clearly still a long way to go. All it takes is for one employee to respond to a phishing email to see an email account compromised or malware installed. The fact that almost a quarter of employees failed to correctly identify phishing emails is a major cause for concern.
For the Q&As, if the answers to questions were not known, it was possible to skip the question. The most commonly skipped category of question related to protecting healthcare and credit card information. 26% of the questions were missed in this category. Another major problem area was highlighted by the number of missed questions and incorrect answers on the sharing of login credentials.
While there were improvements in many of the categories tested, but one area that saw a decrease was mobile applications and permissions, with more respondents unsure about the implications of granting permissions for mobile phone applications in 2017. Disposing of sensitive information was also an area of concern, with a quarter of respondents answering questions incorrectly.
Interestingly, last year saw positive scores relating to safe Internet access, but this year those scores decreased significantly. It was clear from these results that security awareness training cannot be a one-time event, and reinforcement of training is essential to ensure knowledge is retained.
Aspects of security that have shown continuous improvement year over year are the use of social media and working remotely. Password security was the best understood aspect of security in 2016 and 2017. Only 12% of users answered password security questions incorrectly this year.
Overall, the industries that saw the worst scores were healthcare, retail, and transportation. The poor scores for healthcare employees is of major concern, since the industry is one of the most commonly attacked.