author photo
By Bruce Sussman
Thu | Feb 13, 2020 | 8:33 AM PST

The annual State of the Phish report is widely considered the cybersecurity community's benchmark report on the state of phishing attacks and security awareness.

Highlights of the 2020 State of the Phish report

Today, in SecureWorld's Behind the Scenes interview series, we are going in depth with one of the report's creators, Gretel Egan, Security Awareness and Training Strategist at Proofpoint.

She is fantastic at explaining key takeaways from the 2020 State of the Phish report.

Listen to her complete interview or read excerpts below:

[SecureWorld]  Will you briefly tell us about some of the data used to create the 2020 State of the Phish? I know you have millions of data points. 

[Gretel Egan]  Yes, this  our sixth annual report. We look at information related to global phishing threats that are applicable for CEOs to CISOs and InfoSec professionals. Pieces of data that can really help drive their decision making.

We focused on actionable advice this year and the report is more data rich than ever. The four primary sources were, first, a survey of more than 3500 working adults across seven countries. And those countries were the United States Australia, France, Germany, Japan, Spain and the United Kingdom. And I do want to stress that they are working adults, people who are in the workforce right now.  We wanted to see what these people know and do not know about cybersecurity terminology and best practices. Cybersecurity teams can really make some inferences about their users.

We also did a survey of more than 600 IT security professionals across the same seven countries, we had a mix of respondents across security roles, CISOs, IT managers, sysadmins, system engineers, a whole range of people, which was great to get that kind of varied feedback across the InfoSec space.

We also analyzed nearly 50 million simulated phishing attacks sent out by our customers over a 12 month period. This is a big jump from when we first started doing this report. We were around 4.5 million simulated attacks back, you know, six years ago. So a huge jump there.

And we also analyze data of suspicious emails that were reported by our customers and users. And they reported more than 9 million suspicious emails over that same 12 month period. 

This year's report serves as a model for organizations. Absolutely, the benchmarking numbers are there. But we're also giving people a path to think about how they can get to the pieces of data within their organization. Things that are going to reflect their mission and help them guide their security awareness training efforts in order to support the goals of their business, and to address the issues that they're really seeing at that granular organization level.

State of the Phish report looks at end-users

[SW]  In the survey of working adults, what were some of the key takeaways that cybersecurity teams should know about?

[Egan]  Understanding if there's a language barrier within your organization on basic terms.

What we found when we did our global survey is that there still is this disconnect at a basic terminology recognition level, among a lot of working adults. When we asked what is phishing we provided three choices for people, three definitions that they could choose from, to identify what is the right definition of this term?

Only 61% of people globally got that answer correct. Now, honestly, this is a statistic that we see hovering around this mark year in and year out. And why is that because we have different people coming into the workforce, who are answering these questions in these surveys, the age groups change, but that kind of level of awareness is still remaining the same.

And with ransomware, we saw only three 31% of people getting that answer, correct.

I would equate this to a kind of analogy that if you go into a doctor's office, and the doctor comes in and provides your results to you, but they're talking to you and using very complex terminology, and advice that you really don't understand. You're not going to walk away from that interaction feeling good about the decision making, feeling confident that you understand how you're going to have to proceed.

And so it is that if security people are having a conversation with
end-users using terminology that end users don't understand, you are starting from a negative place, and it's going to be difficult to progress. 

2020 State of the Phish looks at ransomware payments

[SW]  Now let's talk about your survey of InfoSec professionals. You highlighted some ransomware findings in the report that were really interesting. The stat I'll share with our listeners was more than 50% of organizations that had an infection in 2019 decided to pay the ransom. What are your thoughts on this?

[Egan]  This was something that we really did want to dig into a little bit more this year. We didn't want to just understand how many people experienced a ransomware infection. We wanted to understand how they took action and what happened.

As you said, we did find that more than 50% of those who had an infection decided to pay. Among those people that did decide that they were going to roll the dice and negotiate with attackers, a lot of them had a positive outcome. Nearly 70% got their data back following a ransom payment.

That might comfort people on some level, but that still leaves a significant chunk of people who spent money and did not get back what they expected to. More than 20% made the payment and never got access to their data, and then about another 10% had a follow-up demand that came back to them after making initial payments.

Some people decided to walk away at that point, and others did pay the extra ransom and then did get access to their data. People really need to think about it. Think about what they're willing to lose from a ransom payment should it be not effective. And, you know, think about what it means to be flagged as a payer. We know that cybercriminals share information amongst themselves. So it's really critical to think about what that implication is down the road if word gets out that you're someone who is willing to pay a ransom.

State of the Phish looks at InfoSec professionals

[SW]  As we read the report, it was great to see nearly 80% said their security awareness initiatives are reducing user susceptibility. But my question for you is this: what do you think organizations are not doing enough of right now?

[Egan]  About 40% of organizations are only allocating an hour or less to training in a full year. So, you know, we need to think about what can happen in an hour per year if we're really looking at helping people to learn new skills, break bad habits, and change behaviors.

Thinking about what you want to get out of your program should really help drive your desire to dedicate as much time as you possibly can to that. Another thing that we saw is that only about 60% of organizations say that they're doing formal training sessions, either in person or online. The rest are kind of relying on some of the more passive training exercises. They're not so much training exercises as awareness exercises, things like newsletters and emails, awareness posters, and even simulated phishing attacks. And my caution to organizations that are relying solely on simulated attacks to train users is that these are really more awareness activities than they are training activities.

And one thing that stood out for me in the survey is that only about 16% of organizations are providing email reporting tools for employees.  And what we advocate for is that organizations do implement these email, reporting buttons as an easy way for users to alert InfoSec teams and response teams to potentially malicious attack within the network. Very few organizations taking advantage of that, which is such a powerful tool.

What will you get out of the 2020 State of the Phish report?

[SW]  The 2020 State of the Phish is a fantastic report. It's a
must- read for many. What are do you say those in cybersecurity and leadership will get out of it?

[Egan]  There's a lot of benchmarking data like average failure rates by industry and by department. That is also an important piece of the puzzle that a lot of organizations are not taking advantage of—gaining visibility into failure rates at the department level.

We obviously go into a lot of information about reporting. You know, the appendix has regional results to all the questions that we asked on the end-user side and on the InfoSec professional side.

But I think the true value of this report is that it gives you a path to understand pieces of data that can matter within your organization. Things that might be hiding within the data [based on] what you're doing right now. So really, following that path and helping you to look inward.

That's where I think a lot of organizations are missing the mark. They're not looking internally enough at the things that are happening within their organization.

It's so important to understand not just an average failure rate across your organization, but to understand what things look like at the department level, who are the people in your organization that are being most targeted by threat actors? We call those people the very attacked people or the VAPs within your organization.

However, if you're focusing only on your VAPs, you are missing the boat and not understanding the ways threat actors are approaching attacks on your organization. They are absolutely looking up and down and across org charts. They are not just targeting CFOs. They are absolutely doing their research looking for those roles and responsibilities that have opportunity and access and then targeting those roles.

So it's so important to use these pieces of more granular data to understand how to deliver the right training to the right people at the right time, which can really help you build a culture of security from a broad perspective and also keep you agile enough to address the threats that are really pressing within your organization today.

~~

We've only scratched the surface during our interview. For more:

Web Conference: Unpacking the 2020 State of the Phish Report

PDF download: Proofpoint State of the Phish Report 2020

Comments