The Beyond the Phish Report from Wombat Security provides valuable insights into the state of security awareness across different industry sectors. For the report, Wombat Security analyzed the responses to almost 85 million questions and answers collected from employees of its customers across 16 industry sectors.
The questions covered 12 different categories including protecting confidential information, safe use of passwords, identifying phishing emails, working safely outside the office, safe use of the Internet, protecting mobile devices and information, disposing of data securely, avoiding ransomware attacks, and safe use of social media.
The analysis of responses to the questions reveals several gaps in end users understanding of threats. Those knowledge gaps could well lead to a breach of sensitive information or the installation of malware.
Overall, across all industry sectors, the biggest area of weakness was protecting confidential information, which is a concern with the EU General Data Protection Regulation (GDPR) compliance deadline fast approaching. 25% of respondents answered questions in this category incorrectly. Identifying phishing threats was another area of concern, with 24% of employees failing to answer questions correctly in this category.
In the protecting and disposing of data securely and protecting mobile devices and information categories, 23% of questions were answered incorrectly, with a 21% failure rate in safe use of the Internet and identifying common security issues. The category with the most correct answers – 89% – was avoiding ransomware attacks, with building safe passwords also well understood with 88% of questions answered correctly.
It is reassuring to discover that the best performing industries were the Government and Technology, with just 20% of questions answered incorrectly. However, the healthcare industry did not fare so well. This is a serious concern considering how frequently healthcare employees are targeted. It is also interesting to note that the healthcare industry is required by law to provide security awareness training to employees regularly. In healthcare – along with manufacturing and professional services – 23% of questions were answered incorrectly. The worst industry sector, with 24% of questions answered incorrectly, was hospitality.
The worst performance was protecting mobile devices and information, with 35% of questions answered incorrectly by employees in the hospitality sector, closely followed by protecting confidential information, which saw 33% of failures by the defense industrial base. There was also a failure to answer 32% of answers correctly in the protecting and disposing of data securely category by the hospitality industry.
Even though the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to securely dispose of sensitive information, there was a 28% failure rate in this category in healthcare. Protecting mobile devices and information (27% failure) and protecting confidential information (26% failure) – also covered by HIPAA Rules – are also areas of concern.
The solution is further training. Conducting regular security awareness training sessions, varying the training methods used, using phishing simulation emails, sending regular security related emails, can all help to improve security awareness of the workforce and develop a security culture in an organization.