Many organizations need to rethink their security awareness training as there’s still plenty of room for cybercriminals to exploit knowledge gaps.

That’s according to Proofpoint‘s fourth annual Beyond the Phish report, which examines end-user understanding of cybersecurity topics and best practices. The report offers insights into employee knowledge levels across 14 categories, 16 industries and more than 20 commonly used department classifications.

Gretel Egan, security awareness training strategist at Proofpoint, tells us it’s “incredibly important” to look beyond email-based phishing threats when assessing an organization’s overall security strength.

Proofpoint’s Gretel Egan

“Our findings demonstrate the importance of leveraging more than just the sole use of simulated phishing attacks, for example, when it comes to training and educating users,” she said. “We’ve found that channel partners have an opportunity to help their counterparts rethink their security awareness training approach by encouraging them to use learning science principles and the latest threats across their content to develop a program that truly turns their end users into an informed last line of defense.”

Proofpoint found that 83% of global organizations experienced phishing attacks in 2018, underscoring the need to educate end users.

“This year, we found that end users incorrectly answered one in every four questions in the ‘identifying phishing threats’ and ‘protecting data throughout its life cycle’ categories,” Egan said. “This maps to a trend that we continue to see despite ongoing high-profile breaches that have been disclosed to begin with a simple phishing attack. Ultimately, this continued struggle speaks to the complexity of both topics. While data protection and avoiding phishing attempts might sound straightforward, they are extremely broad subject areas that require a thorough cybersecurity training background to fully grasp and apply in day-to-day life. This points towards the need for organizations to take a more well-rounded approach to educating end users on these topics, which can help end users to understand the ways in which their behaviors can influence their organizations’ email and data security posture.”

Communications was the best-performing department, with end users correctly answering 84% of questions, while finance was the best-performing industry, with end users answering 80% of all questions correctly, according to the report.

End users in the insurance industry delivered the best performance in three of the 14 categories analyzed, specifically excelling in the “avoiding ransomware attacks” category.

Service, facilities and security were among the worst-performing departments, incorrectly answering an average of 25% of cybersecurity questions asked. The security department could include both physical security and cybersecurity.

End users in the education and transportation industries struggled the most, on average answering 24% of questions incorrectly across all categories. Hospitality employees scored the lowest in three categories, including “physical security risks,” in which 22% of questions were answered incorrectly.

“One of the most important and often overlooked metrics of a successful security awareness training program is how relevant that training is to the threats that end users face each day,” Egan said. “While broad security awareness training is critical for establishing a common cybersecurity vernacular among all users and a general understanding of the types of threats in the landscape, the next step is really focusing training around the threats that organizations are receiving in real time. It is incredibly important to develop a program based off threat intelligence and an understanding of who an organization’s very attacked people are, as this provides insight into how cybercriminals are targeting attacks and where those attacks are headed. Armed with this knowledge, infosecurity teams can create a tailored security awareness training program to more effectively educate users and change behavior.”

Cybercriminals are experts at gathering personal information to launch highly targeted and convincing attacks against individuals,” said Amy Baker, Proofpoint’s vice president of security awareness training strategy and development.

“Educating employees about cybersecurity best practices is the best way to empower users to understand how to protect their and their employer’s data, making end users a strong last line of defense against cyberattackers,” she said.