author photo
By Bruce Sussman
Tue | Sep 3, 2019 | 8:45 AM PDT

Based on what we hear from security leaders and professionals, the "Beyond the Phish" report is one of the most valuable security studies of each summer.

How much data goes into the 'Beyond the Phish' report?

In part, this is because security leaders respect data. And this Proofpoint Security Awareness Training report is based on a lot of it, including more than 130 million answered questions.

Even more important is what the report reveals: insights into employee knowledge and end user behavior across 14 categories, 16 industries, and more than 20 commonly used department classifications.

And the 2019 report includes new categories: research on insider threats and executive cybersecurity knowledge.

Positives: What did 2019 'Beyond the Phish' report reveal?

We just finished listening to the SecureWorld web conference, Beyond the Phish: A Snapshot of End-User Behavior, which is available on-demand and includes the 'Beyond the Phish' report PDF.

Here is a brief synopsis of what we discovered.

There are some definite areas of security awareness improvement. Security teams are making progress within the organization.

"Risky communication channels, the whole idea of being at Starbucks on WiFi or hotel WiFi, we've gotten enough mind-share on that topic that employees are thinking twice about that sort of thing," says Dale Zabriskie, Security Awareness Evangelist at Proofpoint Security Awareness Training.

And he says end-users are also more aware of physical security safeguards they should take while traveling.

Plus, the report reveals a growing recognition of malicious pop-ups, a greater understanding of ransomware, and that end-users are increasingly adopting "lock before you walk" by locking their devices before they walk away from them.

Challenges: what did 2019 'Beyond the Phish' report uncover?

And while progress is being made, the report uncovered the need for consistent security awareness training and testing. Here are some key areas of training and the results. 

1. Identifying phishing threats

Approximately 25% of end-users are still answering questions about phishing threats incorrectly.


Clearly, this is an area of great risk for organizations. So what is the key to shrinking this knowledge gap?

"If you're doing phishing and you are doing training, make sure your training relates to what you are doing in the phishing," says Zabriskie. "Yes, there are compliance things and other things you need to train on. But if you're going to move the needle and help people protect the organization and protect themselves, you've got to line it up."

2. Cybersecurity concerns for working adults

The report reveals the importance of treating employee age demographics differently because they use, approach, and understand technology differently.

3. Lifecycle of data and related compliance issues

Control of data is a challenge, especially because many employees fail to comprehend the big picture of their data use within the organization. The data shows end-users are often unaware of how to share data securely with others or how to dispose of it securely once they are done using it. 

4. Mobile device security and encryption

Research reveals we act differently on mobile devices, and end-users often take greater risks. "I just emailed it from me to me, so that's okay, right?" There needs to be more training on PII protection. 

And there is a lot more to do now around the data and processes which are driving digital transformation within organizations. What are the distinctions between private data and public data? This is something end-users are struggling with.

Just announced: complimentary security awareness tools and guide

During the "Beyond the Phish" web conference, Proofpoint also made a major announcement. The company is launching a new Phishing Awareness Kit, which is both complimentary and robust.

Gretel Egan, Security Awareness and Training Strategist, explains:

"We're delivering content that's going to help you raise phishing awareness during National Cyber Security Awareness Month in October, or any other month. The kit addresses challenges related to your security resources, like money and time. It provides a suggested schedule for how to use the tools, and also pre-written content for emails which you can adjust for your organization and send out."

We downloaded the kit and found it also includes an administrative guide, a sample phishing awareness newsletter you can adapt, fully-scripted PowerPoint slides, and a catchy security awareness poster. It will be tough for employees to walk past this one without doing a double-take:


[DOWNLOAD: Complimentary phishing awareness kit and guide by Proofpoint Security Awareness Training]

Security awareness strategy: what is the key?

Although much of the 2019 "Beyond the Phish" report is all about end-user details by industry and role, there is a big picture takeaway which every organization should consider.

You need to continuously fight the security awareness battle:


"When you apply a specific methodology to it, that's when you're really going to start to move the needle. Just looking at click rates and phishing simulation results alone does not give you a total picture of your organization," says Proofpoint's Dale Zabriskie. 

"The education provides the why. This is why it's important. Often when people understand the why, they are a lot more engaged in the program. And a consistent ongoing method provides the best results."

And isn't the best what you are after? 

Security awareness resources:

The SecureWorld web conference, Beyond the Phish: A Snapshot of End-User Behavior, available on-demand and including the full "Beyond the Phish" report PDF.

New download: complimentary phishing awareness kit and guide by Proofpoint Security Awareness Training.