author photo
By Bruce Sussman
Mon | Feb 11, 2019 | 10:44 AM PST

It's time to look at the 2019 State of the Phish report from a fresh angle, as part of SecureWorld's Behind the Scenes interview series.

Our team interviewed report experts Gretel Egan, Security Awareness and Training Strategist, and Kurt Wescoe, Chief Security Awareness Architect, of Proofpoint Security. 

Watch or listen to our complete interview, or read excerpts below:

[SW] Page 1 of your report reveals it is based on tens of millions of simulated phishing emails, 15,000 surveys of InfoSec professionals, and 7,000 end-user surveys across 16 industry verticals. What are you trying to accomplish with such an in-depth report?

[Egan] "We recognize there are a lot of reports and data points out there, so we really did focus this year on actionable data and advice. We really believe in the importance of tracking activity and using metrics to breed a more successful approach and a successful security program. It's not just about data for data's sake, it's taking what we found and offering recommendations about how organizations can use those findings to take a more people-centric approach to cybersecurity. And using data to deliver the right training, to the right people at the right time."

[Wescoe] "As Gretel mentioned, it's about giving you deep data that allows you to take actionable decisions and do things readily within your program right away. It's things like our very attacked people viewpoint and our departmental analysis. There are differences in how people are failing for these phishing and simulated phishing attacks as well as how attackers are attacking them."

[SW] What was an eye-opening finding for each of you in this report?

[Wescoe] "The thing that really jumped out to me was the departmental analysis. This was the first year that we really dug in and have taken a look at how different departments are performing on simulated attacks. What we have seen in this is that there has really been a misalignment between how organizations are phishing their users and how they are actually being attacked. Last year really was the year of account compromise and credential phishing. It really jumped out that organizations are not using the threat landscape to inform their simulated attack programs." (There was a much lower usage of data entry simulated phishing emails being used than there should be, for example)

[Egan] "I was surprised to see the phishing rates jump as much as they did. And to see that InfoSec professionals said that across the board, all types of social engineering attacks they saw within their organization were increasing. It is certainly indicative that attackers are using all available inroads to get to users and it speaks to the need to educate users about social engineering techniques in general and not just the way they are applied in email attacks."

[SW] Can you please pick just 1 key takeaway you want cybersecurity and InfoSec professionals to have from the State of the Phish 2019?

[Wescoe] "A challenge you can see organizations facing as they're seeing some of this data is 'I need to look at what I got last month.' You run the risk of training users only around exactly what is happening right now.

In the same vein, you can't rely on the fact you had a low failure rate, for example, on a credential phish from January. Because attackers, as we've seen with some of our tax filing examples we've rolled out, that credential phishing is changed month to month in terms of the tactics being used. So I think a real takeaway is that you have to try and balance out how you're trying to deal with the threat landscape that exists today while also trying to raise your overall knowledge within your team to get them better at detecting phish and reporting them."

[Egan] "One thing I would really stress to InfoSec teams is getting a better understanding of your end users in general. I mentioned that we included a five-question, seven-country survey of working adults, and our goal there was to measure end users' understanding of commonly used terms (i.e. What is Phishing?). It's important for InfoSec teams to understand that the language they speak so readily and so commonly is not the same language that is necessarily spoken by their end users. So its very likely that a good percentage of people working in an organization—if someone has not taken the time to define phishing and to define ransomware for those people at a fundamental level—they're not really understanding the conversation.

We also did some analysis by age group, and we did this specifically to compare how millennials... how they are comparing against their counterparts. What we found is that although these are digital natives, they've grown up with technology, they are not necessarily well versed in cybersecurity fundamentals. They were outperformed by at least one other age group in all the questions that we asked. And baby boomers were actually the ones who exhibited the best recognition of phishing and ransomware terminology. The caution here is that organizations should really not be assuming that as their workers are getting younger that they are bringing with them a higher level and innate sense of cybersecurity."

Listen to or watch the complete interview (above) for many more details, including a look at regional differences, the state of security awareness maturity, and other specific takeaways for security leaders and teams. The excerpts above were edited for brevity.

Also, check out the 2019 State of the Phish web conference, available on demand. It includes CPE credits and a PDF of the full 2019 State of the Phish report.