What is workforce's biggest cyber knowledge gap? ID'ing phishing threats, says study

News

A study finds that education and transportation sector employees had the worst cyber-security knowledge, while finance industry employees were the most aware

An analysis of workers’ cyber knowledge gaps found that ends users last year struggled most with identifying phishing threats and protecting data throughout its lifecycle, according to a new report from Proofpoint.

Titled "Beyond the Phish 2019, the report incorporated data gathered from roughly 130 million answers to questions that were posed to endpoint users whose companies conducted cybersecurity knowledge assessments and security awareness training via Proofpoint’s Security Education Platform. These responses were collected from a time period of 1 January, 2018 through 28 February, 2019. Question category topics ranged from "avoiding ransomware attacks" to "identifying phishing threats" to "insider threats".

After ID’ing phishing attacks and protecting data throughout its lifecycle, the security awareness training categories that generated the next highest percentage of wrong answers were compliance-related cybersecurity directives, and protecting mobile devices and information.

On average, end users answered about 22 percent of overall questions incorrectly, compared to 19 percent in the previous year’s version of the same study – Proofpoint believes that tougher assessments may be responsible for the uptick). Among the specific topics that end users had most trouble with were mobile device encryption, protections for personally identifiable information and the role of technical safeguards in preventing social engineering attacks.

The study also broke down worker responses by industry sector and job department. From an industry perspective, the education and transportation sectors had the worst overall knowledge scores (76 percent of questions answered correctly), while finance industry employees performed best (80 percent answers correctly).

According to Proofpoint, end users who work in "commercial" departments within their organisations fared the worst in the study. Gretel Egan, security awareness training strategist at Proofpoint, helped define this particular group of employees for SC Media.

"We’ve seen a number of recurring roles and responsibilities tied to the ‘Commercial’ designation in our research, including business operations and development; contract management; customer management; sales, project, and administrative management, etc. While the definition is rather fluid depending on the business as well as geography, workers in this role are likely to have access to information that is important to the business, as well as sensitive data."

Employees working in customer service, facilities and – ironically – security departments were all tied for second with the next highest percentage of wrong answers across all security question categories. "Security" covers both physical security and cybersecurity jobs.

On the other hand, employees working within organisations’ communications departments proved to the best most knowledgeable, correctly answering questions 84 percent of the time.

"Cybercriminals are experts at gathering personal information to launch highly targeted and convincing attacks against individuals," said Amy Baker, vice president of eecurity awareness training strategy and development for Proofpoint, in a press release. "Educating employees about cybersecurity best practices is the best way to empower users to understand how to protect theirs and their employers’ data, making end users a strong last line of defense against cyber attackers."

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop