End-user security ignorance laid bare in new report

Less than a quarter of people aged between 23 and 38 (so-called millennials) can correctly define the term “ransomware”, more than one-fifth of Brits don’t know how to change their Wi-Fi security settings, one-third of Aussies “don’t feel the need” to ever use a VPN, 30% of Americans think “malware” is something used to extend the range of a Wi-Fi router, and 50% of people who take a work device home have let their friends and family use it.

These were just some of the more intriguing findings in Proofpoint’s sixth annual State of the Phish report, which highlighted the scale of ignorance among end-users when it comes to cyber security, the scale of the challenge facing security professionals, and the scale of the security industry’s failure to educate.

In a world where 90% of global organisations surveyed said they had been targeted by business email compromise (BEC) and spear phishing attacks, Proofpoint assembled data from nearly 50 million simulated phishing attacks, third-party survey responses by security professionals in Australia, France, Germany, Japan, Spain, the UK and the US, and 3,500 working adults.

It found that the majority of people in general failed to observe the basic principles of cyber security hygiene. For example, 45% admitted to password reuse, more than 50% did not password protect their home networks, 32% were unfamiliar with VPNs, and 90% used their work PCs and smartphones for personal activities.

Recognition of common security terms, such as malware, phishing and ransomware, was also found to be lacking. Only 61% could correctly define phishing, and only 31% malware, exposing both a knowledge gap and a language barrier for security educators. Recognition also varied wildly between age groups. Millennials tended to underperform in security awareness, reflecting other recent studies on the same topic, although it is not clear why this should be.

“Effective security awareness training must focus on the issues and behaviours that matter most to an organisation’s mission,” said Joe Ferrara, senior vice-president and general manager of security awareness training at Proofpoint.

“We recommend taking a people-centric approach to cyber security by blending organisation-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognise and report attacks.”

Where appropriate security awareness training was undertaken, the effects were noticeable, with 78% of surveyed organisations saying they had seen “measurable reductions” in phishing susceptibility as a result.

Growth in end-user email reporting, which is a key metric when it comes to understanding and gauging positive behaviours, was another positive trend picked out by the report. More than nine million suspicious emails were reported in 2019 – up 67% from 2018.

Proofpoint said this was a good sign because it suggested end-users were becoming more vigilant and better able to identify threats – a useful skill given the noted trend towards more targeted and personalised forms of attack.

Altogether, 5% of the organisations surveyed said they had dealt with one successful phishing attack last year, and security pros reported high volumes of social engineering attempts. A total of 88% said they had seen spear-phishing attempts, 86% reported BEC attacks, 84% SMS/text phishing or smishing, 83% voice phishing or vishing, and 81% malicious USB drops.

A clear majority of organisations also reported that they were now taking corrective action against users who make repeated mistakes related to phishing attacks, with many respondents saying employee awareness improved vastly if people were made to bear the consequences. The UK was the country most likely to impose some monetary penalty on repeated victims, while organisations in France were most likely to fire them.

The report also showed that 65% of surveyed professionals reported that their organisation had experienced a ransomware infection in 2019. Of these, 33% opted to pay up against all advice, while 32% held firm. Of those that negotiated, 9% found they were extorted for further payments, and 22% never got access to their data.