CIO

Analysis of end-user cybersecurity training reveals security gaps

Users knew the least about spotting phishing, protecting data, cybersecurity compliance, and mobile device protection

End users failed around 9 percent of simulated phishing attacks and answered 22 percent of phishing-related knowledge questions wrong, according to a new analysis of real-world end-user training that highlights the security areas where users run the most risk of slipping up.

Some 83 percent of global organisations experienced phishing attacks during 2018, according to Proofpoint, which analysed end-user responses to more than 130 million questions administered during email-security training over 14 months from January 2018.

The analysis – contained in the recently released Beyond the Phish 2019 report – provided a snapshot of users’ strengths and weaknesses while being evaluated against 14 different security-related topics.

The modules attracting the most wrong answers included those about identifying phishing threats and protecting data throughout its lifecycle (25 percent wrong answers), compliance-related cybersecurity directives and protecting mobile devices and information (25 percent wrong answers), and using the Internet safely (20 percent).

Users were least perplexed by topics including unintentional and malicious insider threats (13 percent wrong), passwords and account authentication (12 percent), and avoiding ransomware attacks (11 percent).

“Cybercriminals are experts at gathering personal information to launch highly targeted and convincing attacks against individuals,” said Amy Baker, vice president of security awareness training strategy and development with Proofpoint.

“Implementing ongoing and effective security awareness training is a necessary foundational pillar when building a strong culture of security. Educating employees about cybersecurity best practices is the best way to empower users to understand how to protect theirs and their employer’s data, making end users a strong last line of defence against cyber attackers.”

They may be a strong last line of defence, but end users struggled most with questions about mobile device encryption, protections for personally identifiable information (PII), the role of technical safeguards in preventing successful social-engineering attacks, distinctions between private data and public data, and actions to take following a suspected physical security breach.

Users working in managed-services firms – who apply the firm’s Continuous Training Methodology – performed better overall than the entire cohort of end users. However, even those service experts still struggled to answer questions in areas such as compliance-related cybersecurity directives and protecting mobile devices and information.

The results provide valuable insight into the areas where users are most likely to struggle in real-world scenarios – potentially helping security executives refine their targeted training to improve end-users’ overall knowledge in the pursuit of email-security best practice.

The gap between the 9 percent simulated phishing attack failure rate and 25 percent incorrect response rate for phishing questions suggested that many users are able to avoid a phishing attack in the wild even if they don’t know exactly why.

Yet monitoring and improving users’ levels of competence remains crucial, given the potential disruption that can be caused from a single errant click.

Some 36 percent of the respondents to Barracuda Networks’ recent 2019 Email Security Trends report, for example, said that email-borne attacks had caused downtime and business disruption within their company.

Twenty percent said such attacks had incurred significant recovery costs, while 16 percent had lost sensitive, confidential, or business-critical data.

Just 21 percent of respondents to the Barracuda study said their employees were doing a “great job of identifying suspicious emails and alerting IT only when needed”, while 18 percent said their employees “are careless and don’t recognise obviously suspicious emails”.