Phishing remains a concern for organisations worldwide

An analysis of workers’ cyber knowledge gaps revealed that phishing identification and data protection are the top problem areas for end users. 

The report from Proofpoint, “Beyond the Phish 2019” analysed data from nearly 130 million questions answered by Proofpoint’s customers’ end users. Question categories ranged from insider threats to avoiding ransomware attacks. 

It was identified that on average users answered 22% of questions incorrectly across all topic categories including phishing, compliance and more. This is an increase from 19% in the 2018 analysis. The report explained that the increase in figures could be due to tougher assessments. The topics that users struggled to answer correctly included mobile device encryption, protections for personally identifiable information (PII) and distinctions between private data and public data. 

“Cybercriminals are experts at gathering personal information to launch highly targeted and convincing attacks against individuals,” said Amy Baker, vice president of Security Awareness Training Strategy and Development for Proofpoint. 

“Implementing ongoing and effective security awareness training is a necessary foundational pillar when building a strong culture of security. Educating employees about cybersecurity best practices is the best way to empower users to understand how to protect their and their employer’s data, making end users a strong last line of defense against cyber attackers.”

The report analysed users’ by department for the first time, and identified that Communications was the best performing department with end users correctly answering 84% of questions, followed by the Executive department. Customer Service, Facilities and Security were among the worst performing departments, incorrectly answering an average of 25% of cybersecurity questions asked. 

The best performing industry was Finance, with end users answering 80% of all questions correctly. The worst performing industry was identified as the Education and Transportation sectors.

“Organizations need to be persistent and thorough in their security awareness training programs considering the end user behaviors that influence and impact overall security postures. This annual report reiterates the need to go beyond the use of phishing tests to evaluate end user susceptibility and cyber threat knowledge,” continued Baker. 

“It’s important to remember that not all security incidents stem from an attack; many issues result from limited awareness and poor security practices. Our research has shown a significant increase in safe behaviors when organizations take a well-managed, continuous approach to training across all cyber topics.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.