STATE OF THE PHISH | 2019
3
THREE PILLARS OF CONTENT
Security Awareness Training: Outcomes and Opportunities
We close this year’s report with an in-depth look at the data gleaned from
FOR THIS YEAR’S REPORT, WE FOCUS ON THREE KEY AREAS OF DATA
our Security Education Platform. This SaaS-based learning management
AND ANALYSIS:
system (LMS) allows our customers to plan and execute phishing awareness
training programmes, as well as to gather business intelligence about these
The Extent of End-User Risk
activities. You’ll find the following results and analysis:
Proofpoint threat intelligence continues to demonstrate attackers’ focus on
end users, and it validates the need to take a people-centric approach to
•
Average failure rates across different phishing campaign types
•
The simulated phishing templates and themes favoured by
programme administrators
In this section of the report, you’ll find the results of our five-question,
•
Average failure rates by industry and department
seven-country survey, which was designed to gauge the fundamental
•
How personalisation and programme maturity influence failure rates
cybersecurity knowledge of working adults around the world. We include
•
Visibility into frequently attacked targets across multiple industries
global averages and country-by-country breakdowns for responses to each
•
Phishing templates that most frequently fool end users
•
Insights into end-user reported emails
cybersecurity. But what if organisations aren’t following that model?
question. We also feature analysis by age groups, which examines how
millennials — a key demographic for organisations worldwide — compare to
baby boomers and others in terms of cybersecurity awareness.
USER RISK REPORT
What Infosec Pros Are Experiencing
This section of the report reveals the results of our quarterly surveys
of infosec professionals. We cover a number of key topics, including
Find out more about the cybersecurity knowledge levels of
working adults around the world in our 2018 User Risk Report.
the following:
•
The different types of social engineering attacks organisations
are experiencing
•
The frequency of phishing and spear phishing attacks
•
How phishing is impacting organisations
•
How organisations are using security awareness training tools
to manage end-user risk
•
Application of consequence models and escalation paths
We also take a high-level, regional look at the survey data, highlighting
DOWNLOAD THE REPORT
interesting variations among respondents who reside in one of three key
business regions: North America, EMEA and APAC.
INTRODUCTION
THREE PILLARS OF CONTENT
SECTION 1:
THE EXTENT OF END-USER RISK
SECTION 2:
WHAT INFOSEC PROS ARE EXPERIENCING
SECTION 3:
SECURITY AWARENESS TRAINING:
OUTCOMES AND OPPORTUNITIES
STATE OF THE PHISH | 2019
SECTION 1
4
THE EXTENT OF
END-USER RISK
To make this connection, we commissioned a third-party survey of working adults from
around the world. Participants were representative of workers who are currently employed
by global organisations of all sizes: technology users who may or may not have a solid
grasp of cybersecurity best practices.
The Human Factor 2018, a Proofpoint report based on threat intelligence gathered from
analysis of more than one billion emails per day, makes one thing abundantly clear:
cyber attackers are increasingly focusing their attention on people, not technical
defences. As the report states, “Attackers are adept at exploiting our natural curiosity,
desire to be helpful, love of a good bargain and even our time constraints to persuade
us to click.”
We asked five relatively simple, multiple-choice questions of 7,000 end users across
seven countries (the US, UK, France, Germany, Italy, Australia and Japan). All questions
focused on fundamental cybersecurity concepts, including high-profile topics (like
phishing and ransomware), and lesser-known but frequently experienced attacks like
smishing (SMS/text message phishing) and vishing (voice phishing).
We found that, in general, end users are not familiar with commonly used infosecurity
terms. In addition — and of particular concern — many are relying on IT teams to
Proofpoint researchers reported the following:
automatically discover and fix accidental downloads of malicious software. The lack of
•
Email is the top attack vector, with threat actors using macro and micro-level
clarity with regard to the role of IT in attack prevention could be giving users a false sense
campaigns to target employees across organisational levels and job functions.
of security and unnecessarily taxing infosec resources.
•
The brand equity of large enterprises is under attack, with suspiciously registered
domains outpacing defensive brand-registered domains at a ratio of 20 to 1.
•
Millions of users are facing malvertising campaigns that feature fake browser and
plugin updates laden with dangerous software and exploit kits.
•
Cybercriminals are leveraging the lure of pirated content in their social media-based
Learn more about how cybercriminals are exploiting human
attacks. Approximately 35% of these scams tempted users with video streaming and
nature by attacking people rather than technology.
movie downloads.
HUMAN FACTOR REPORT
Knowing the landscape, we wanted to connect the dots to end-user knowledge levels
and explore the potential vulnerabilities for organisations that are not running measurable
security awareness training programmes — meaning, they don’t have the tools in place to
know which employees are actively engaging with training and progressively learning
over time.
DOWNLOAD THE REPORT
INTRODUCTION
THREE PILLARS OF CONTENT
SECTION 1:
THE EXTENT OF END-USER RISK
SECTION 2:
WHAT INFOSEC PROS ARE EXPERIENCING
SECTION 3:
SECURITY AWARENESS TRAINING:
OUTCOMES AND OPPORTUNITIES
Please complete the form to gain access to this content