The following are excerpts from a blog article written by Greta Egan, a security awareness training strategist for Proofpoint.
Proofpoint Security Awareness Training (formerly Wombat Security) recently released its annual State of the Phish Report, a study that offers insights into three key components of the phishing threat landscape: end-user understanding of fundamental cybersecurity concepts; an InfoSec view of social engineering attacks and impacts; and how to better manage end-user risk through security awareness training.
This year’s report draws data from three primary sources:
- A five-question third-party survey of more than 7,000 working adults across seven countries (the U.S., Australia, France, Germany, Italy, Japan, and the UK). Questions were designed to show how well end users understand commonly used cybersecurity terms like phishing, ransomware, and vishing.
- Nearly 15,000 responses to quarterly surveys of InfoSec professionals from around the world.
- Data from tens of millions of simulated phishing attacks Proofpoint customers sent to their end users over one year (October 2017 through September 2018).
Following are three key findings from this year’s report.
#1: Social engineering attacks jumped across the board
Overall, 83% of global info security respondents experienced phishing attacks in 2018, an increase from 76% in 2017. However, this attack method wasn’t the only one that saw greater use last year; survey respondents reported a higher frequency of all types of social engineering attacks year over year:
#2: Credential compromise has increased by 280% since 2016
Each year, Proofpoint asks InfoSec professionals about the impacts they are experiencing related to phishing attacks. This year, compromised accounts bypassed malware infections as the most commonly identified impact of successful phishing attacks.
In 2018, reports of compromised accounts rose 70% over 2017, and they’ve soared 280% since 2016. The responses from the InfoSec audience reinforce the rise in credential-based phishing that Proofpoint researchers noted in its mid-2018 Protecting People report.
#3: Baby boomers outperform all others in recognition of phishing and ransomware terminology
The State of the Phish Report offers cautionary advice for InfoSec teams: At a fundamental level, many working adults still aren’t familiar with terms like phishing and ransomware—and assumptions of familiarity could be negatively impacting security awareness training initiatives.
But the study also illustrates the differences that exist at a generational level, particularly with millennials, who are playing such a significant role in today’s global workforce. Often, the perception is that these “digital natives” have a level of cyber-savvy that leaves them more aware of digital risks and, as such, more likely to understand cybersecurity best practices.
Unfortunately, it’s clear that a high level of cyber comfort does not translate into a solid sense of cybersecurity fundamentals. Millennials fell significantly behind at least one other age group on all questions we asked, and baby boomers—arguably the least cyber-savvy demographic from the survey—outperformed all others in the fundamental understanding of phishing and ransomware.
“Email is the top cyber attack vector, and today’s cybercriminals are persistently targeting high-value individuals who have privileged access or handle sensitive data within an organization,” said Joe Ferrara, general manager of Security Awareness Training for Proofpoint. “As these threats grow in scope and sophistication, it is critical that organizations prioritize security awareness training to educate employees about cybersecurity best practices and establish a people-centric security strategy to defend against threat actors’ unwavering focus on compromising end users.”
Click the link below to download your copy of the 2019 State of the Phish Report for a full look at the results of Proofpoint’s global surveys (including regional data comparisons); how users across 16 industries are performing on simulated phishing tests; and the ways organizations can use threat intelligence and their security awareness training data to identify weak spots in security postures and address the users and departments that are putting them at risk.