Wombat Security Technologies (Wombat), the leading provider of cyber security awareness and training, today announces the release of its annual State of the Phish™ research report. The report findings demonstrate that the war against phishing is still on, with 76% of organizations experiencing phishing attacks in 2017 and nearly half of information security (infosec) professionals saying that the rate of attacks increased from 2016. The impacts of phishing were also more broadly felt than in 2016, with an 80+% increase in reports of malware infections, account compromise, and data loss related to phishing attacks.
Even so, Wombat customers show positive trends and progress within their programs, with declining click rates and increases in the number of suspicious emails identified and reported by end users. Unfortunately, awareness of phishing and ransomware has not trickled down to the average technology user, as revealed by the international third-party survey that was conducted as part of the State of the Phish research.
The fourth annual State of the Phish Report assembles data from three main sources:
- Analysis of tens of millions of simulated phishing attacks sent through Wombat’s Security Education Platform over a 12-month period
- 10,000+ responses collected from quarterly surveys of Wombat’s database of infosec professionals (customers and non-customers) from more than 16 industries
- Insights from a third-party survey of more than 3,000 technology users (1,000+ adults each in the US, UK, and Germany)
The 2018 report is structured differently than in prior years, with data presented via four overarching themes:
- Business intelligence gathered from simulated phishing data and real-world experiences of infosec professionals
- Factors that influence click rates and reporting (such as industry and program maturity) and data about use of consequence models
- Key differences between organizational approaches to end-user risk management in the US and the UK
- End-user knowledge levels related to phishing, ransomware, and smishing (SMS/text message phishing)
Also new this year is a more in-depth look at regional differences between US and UK approaches to cyber security education. Wombat found that UK organizations are less likely to assess end users’ susceptibility to phishing attacks; more frequently use passive security awareness and training tools (like videos, posters, and newsletters); and are much more likely to rely on yearly cybersecurity training. The report also reveals that US organizations — which favor interactive training methods delivered on a monthly or quarterly basis — are more than twice as likely to realize quantifiable results from their efforts.
“The State of the Phish Report shows that simulated phishing attacks are certainly valuable tools in the battle against social engineering attacks, but it also reinforces the need for CSOs, CISOs and their teams to take a broader view of cybersecurity education,” said Joe Ferrara, President and CEO of Wombat Security. “A cyclical approach to security awareness and training is the most effective. Organizations should employ a methodology that both raises awareness of cybersecurity best practices and teaches users how to employ these practices when they inevitably face a security threat.”
Other key findings:
- Continued momentum for anti-phishing education: For the fourth consecutive year, Wombat saw an increase in the number of organizations that assess and train their users on phishing avoidance.
- Increased use of computer-based training: The number of organizations using computer-based training this year jumped from 62% in 2016 to 79% in 2017.
- Smishing (SMS/text message phishing) as an emerging threat: 45% of infosec professionals reported experiencing phishing via phone calls (vishing) and SMS/text messaging (smishing). Yet, globally, the majority (67%) of technology users surveyed were not able to garner a guess as to what smishing is.
- Generational differences: Across all populations, adults aged 55 and older significantly outpace millennials in their recognition of what phishing is.
- German users struggle to define ransomware: Nearly 70% of surveyed technology users in Germany were unable to identify what ransomware is.
“This report is filled with new information and analysis that we hope will empower infosec professionals to more effectively develop their own security awareness and training programs and, in turn, better manage end-user risk,” said Amy Baker, VP of Marketing at Wombat Security. “As organizations continue to see the detriment phishing and ransomware can have on the health and longevity of a business, we want to equip them with the data they need to protect their customers’ and their own valuable information.”
You can read the full report here.