author photo
By Bruce Sussman
Mon | Sep 23, 2019 | 4:45 AM PDT

Maybe you've glanced at a headline or two about the 2019 "Beyond the Phish" report, which Proofpoint releases each summer. And that's great.

But we want to go beyond the headlines now and behind the scenes on the key findings of this report.

We are doing that by interviewing Dale Zabriskie, Security Awareness Evangelist at Proofpoint Security Awareness Training; he knows the report like the back of his hand.

Listen to our complete interview as he unpacks key security awareness metrics and strategies, or see excerpts of our interview below.

Why do more than simulated phishing attacks for security awareness?

[Zabriskie] That's a question that gets brought up all the time. So I appreciate that. The reason that we focus—and we call it beyond the phish—is really encapsulated in one of the first statistics from that report.

On average, we see that in our platform and through our customers around the globe, that about 9% is the failure rate on simulated phishing attacks, where people are getting testing. And you think, okay, if I have 1,000 people in my organization, that's 90 people that are clicking, and you do the math. You may think, well, that's pretty good, pretty good. You know, I'm in single digits.

But then you look at your user base, and you start to find out what they really know, in what they can tell you, as opposed to what they click on. 

The average percentage of questions that are answered incorrectly when you look at an assessment around things like: "How well do you know password policy? How well do you understand protecting proprietary information or personally identifiable information? And do you understand how to engage in social media in a secure fashion and other topics?" When you look at that percentage, 25% of the questions are answered incorrectly.

So 75% is barely a passing grade, I think, in most places. And to change the needle and to change behavior within an organization, it's much more than just users clicking. It is also what do they know? And how well are they prepared to protect themselves? Because in this game that we're playing, we're only going to succeed when the users become part of a solution, rather than thinking of them as a problem.

How do you build a security awareness program and educate end-users when threats are constantly evolving?

[Zabriskie] One of the things we do at Proofpoint to help answer that question is we integrate the training platform and the phishing simulation platform with the threat intelligence that an organization has.

Every mature organization is monitoring and tracking things that are coming into their firewall, through their email systems. Most of them do a really good job at understanding the kind of threats that are hitting their own environment.

Let's say that an organization is getting hit with a barrage of credential compromise type phishing and they've captured those. Maybe they're not even making it to inboxes. The security or IT team can look at them, analyze them, and use the platform to re-purpose that very thing and use that as a simulation.

Now I'm getting some really hard data about how my users would react to that malicious email. To really help change behavior of an organization, you want to do things that are relevant and present.

We need to help our users understand that and learn, and teach them how to respond properly.

When it comes to training modules, what did your research find? Is a one-size-fits-all campaign effective?

[Zabriskie] I think there are some general things around basic topics that any organization would be very happy to train their users on. Passwords, and social media, and protecting data, things like that. Most organizations have some compliance or some regulations they have to comply with. So there might be something like a GDPR training or things that are regulatory in nature. These are some foundational things which work really, really well.

All right, you have basic things that you want to train on, and doing something is better than nothing, there's no question about it. But to really decide what do I need to train my people on? The best way is the three-legged stool of phishing simulation and awareness, and secure assessment modules, to find out what my people know and what they don't know.

And then that third leg is the training, and the training gets driven, modified, and structured based on what the organization learns, from the phishing simulations and the assessments; that's the best way to do things. Because now I've got a holistic view and a comprehensive approach.

I can go to my stakeholders and say, for example: "I need you to know, we have found out that our people don't understand the password policy, or we've just implemented a new password policy, we did an assessment. And we had bad results and a much worse result than we want it to be. Do we need to do training around this?" That helps an organization make the decision and get the buy-in and the budget to do those kind of things.

It's always good to have some basic modules that you're going to train on. And determine what helps your people grow. But the best thing happens when you're doing it from a very targeted and metric-based approach.

Download the 2019 'Beyond the Phish' report

Here are two additional options for mining the data in the 2019 "Beyond the Phish" report.

Download it here as a PDF. Or watch the SecureWorld web conference, which is available on-demand, and earn CPE credits.