70 million responses can’t be wrong - issa …pittsburgh.issa.org/archives/wombat-beyond the...

© 2008 - 2017 Wombat Security Technologies, Inc. All rights reserved.

70 Million Responses Can’t be WrongAmy BakerVP of MarketingWombat Security Technologies


Assess, train and gather intelligence about end user cyber security knowledge & behavior

Leading Behavior Change Company

Global customer base including many Fortune 500 companies

Wombat sells cyber security software solutions that change

end user behavior


More than

millionquestions asked and answered

70

Beyond the Phish

NEW! Highlights from our 2017 User Risk Report, which compiled results from a third-party survey of 2,000 working adults.


10% increase in correct answers (7 million)

How Are End Users Doing?Average Percentage of Questions Answered Incorrectly

OVERALL

22%QUESTIONSINCORRECT

2016


2017


Further Focus on Industry DataAverage Percentage of Questions Answered Incorrectly by Industry

24 24 24

23 23 23 23

22 22 22

21 21 21 21

20 20 20


Look Beyond The Phish to Root Cause

Failing to identify phishing threats

Failing to protect confidential

information

Unsafe mobile device practices

Disposing of data improperly

Social media oversharing


How Are End Users Doing?

Protecting confidential information

26%

Protecting and disposing of data securely

25%

Identifying phishing threats

24%

Protecting mobile devices and information

24%

Using social media safely

22%

Average Percentage of Questions Answered INCORRECTLY


8

Protecting Confidential Information

QUESTION


2016


2017


One of the questions users struggled with the most was around the use of shared login credentials.———

FACT

To minimize this practice, employees should be made aware of the personal implications of allowing coworkers to access sensitive retail and healthcare systems using their credentials.


Protecting Confidential Information

Industries Struggling the Most:

Education

29%Energy

35%

Transportation

28%

Healthcare

29%

Professional Services

28%

Insurance

31%

Defense Industrial Base

27%Other

27%

Knowledge of End-User Cybersecurity Best Practices forPCI DSS and Healthcare Data Protection


11

Protecting and Disposing of Data Securely

QUESTION


2016


2017


Protecting and Disposing of Data Securely


Transportation

28%Consumer Goods

32%

Healthcare

27%Technology

27%

Retail

30%

Energy

26%

Topics addressed include destruction of electronic and paper documents, use of USB devices, and classification of sensitive data.

Entertainment

26%

Hospitality

27%


13

Identifying Phishing Threats

QUESTION


2016


2017


Identifying Phishing Threats———

FACT

This topic was the most popular with our customers. More than half of the assessment and training questions delivered to end users during our reporting period were related to phishing threats, and there was an even bigger emphasis on this topic than last year.


This category focuses on the different indicators and ramifications of phishing attacks

Identifying Phishing Threats

Click rate data is from our 2017 State of the Phish Report.

18%

Healthcare

26%Click Rate*

On Simulated Phishing Attacks

Questions IncorrectIn KnowledgeAssessments

vs.

14% 24%Click Rate*

On Simulated Phishing Attacks

Questions IncorrectIn KnowledgeAssessments

vs.

Check out our State of the Phish™ Report for more data about phishing attacks.

Government

https://info.wombatsecurity.com/state-of-the-phish

https://info.wombatsecurity.com/state-of-the-phish


16

Protecting MobileDevices and Information

QUESTION


2016


2017


According to Pew research, as of January 2017:

Protecting Mobile Devices and Information

of Americansaged 18-29 have a smartphone

92%of Americansaged 30-49 have a smartphone

88%


Protecting Mobile Devices and Information


Energy

27%Hospitality

34%

Healthcare

27%Manufacturing

26%

Retail

30%

Questions pertain to the implications and ramificationsof unsafe mobile applications and invasive permissions

Insurance

26%


19

Using Social Media Safely

QUESTION


2016


2017


Keep These End-User Risks in Mind ———

71% regularly use corporate devices outside the office

54% view or post to social media on those devices

43% allow friends or family members to view or post to social media on those devices


Using Social Media Safely


Hospitality

25%

Retail

31%

Social Media concepts include recognizing imposters and oversharing on social media networks

Transportation

29%Consumer Goods

26%

Defense Industrial Base

33%Telecommunications

36%


How Are End Users Doing?

Working safely outside the office

80%

Using the internet safely

81%

Protecting against physical risks

82%

Protecting yourself against scams

86%

Building safe passwords

88%

Average Percentage of Questions Answered CORRECTLY


What is my password?


24

Effective Approaches to Improving End User Knowledge


Application of Learning Science Principles

• Present concepts and procedures together

• Bite-sized lessons• Story-based environment• Learn by doing• Use conversational tone• Create teachable moments• Provide immediate feedback• Collect valuable data


Continuous Training Methodology

Analyze and

Repeat

Simulated attacks and knowledge assessments

Interactive training modules and games

Attack reporting, videos, posters, and articles

Detailed reports show progress


o Assess knowledge and vulnerabilityo Gather baseline resultso Intelligence for planningo Motivate users

Knowledge Assessments & Mock Attacks


Leveraging Teachable Momentso Intervention messageo Less than 30 secondso Immediate feedbacko Provides context


In-Depth Education• Bite-sized education• Learn by doing• Stories & scenarios• Provide immediate

feedback• Collect valuable data


Reinforce and Repeato Remind employees of security principleso Encourage them to report attackso Reinforce training moduleso Retain knowledgeo Respond appropriately

#StateofthePhish


o More than 89% reduction in phishing susceptibilityo 90% reduction in successful phishing attackso More than 67% reduction in click rateso 42% reduction in malware infections

Achieving Measurable Results


Methodology• Regular phishing simulations and knowledge

assessments with Auto-Enrollment to address vulnerable users

• Quarterly organization-wide training

• Use of customized Training Jackets on all modules to emphasize policies

• Consistent measurement and reporting

Results• Average click rates went from 19.8% to 2.1%

Problem• IT team was tasked with developing and

delivering an organization-wide security program

• Complete executive- and board-level buy-in from the beginning

Case Study: Employee Benefits Organization

More than 89% reduction in click rates

“Without Wombat, it would be very hard to do as comprehensive a program as we do. We absolutely feel there’s a big benefit to partnering with an expert to quickly incorporate assessment and education tools.”


• End Users need to be more knowledgeable– Protecting Confidential Information– Protecting and Disposing of Data Securely– Identify Phishing Threats– Protecting Mobile Devices and Information– Using Social Media Safely

• It’s time to focus on the root cause • How would your end users’ knowledge

compare in these areas?

70 Million Responses Can’t be Wrong


Clear Leader for Four Years


Free Resources for You – wombatsecurity.com

• Wombat Cybersecurity Blog

• Wombat Ransomware Resource Center

• Wombat Webinar Library

• Wombat Case Studies and POCs

• Wombat Research Papers

• Cybersecurity Communications Calendar

• Security Awareness Infographics


Q & A

70 million responses can’t be wrong - issa …pittsburgh.issa.org/archives/wombat-beyond the...

Documents