Discussing Wombat Security’s Fourth Annual State of the Phish™ Report

It was rather recently that Wombat Security Technologies, the leading provider of cyber security awareness and training, released its fourth annual State of the Phish™ report.

Released in mid-January, the State of the Phish™ report came with some very notable findings. A Wombat press release discussing the report says- “The report findings demonstrate that the war against phishing is still on, with 76% of organizations experiencing phishing attacks in 2017 and nearly half of information security (infosec) professionals saying that the rate of attacks increased from 2016. The impacts of phishing were also more broadly felt than in 2016, with an 80+% increase in reports of malware infections, account compromise, and data loss related to phishing attacks.”

Well, despite the increase in the number of phishing attacks, it seems there are some positive trends as well, which the report studies and discusses. The report discusses a heartening trend among Wombat customers now, which involves declining click rates plus a considerable increase in the number of suspicious emails that are being identified and reported by end users. Yet, there is something that’s of serious concern. The press release says-“Unfortunately, awareness of phishing and ransomware has not trickled down to the average technology user, as revealed by the international third-party survey that was conducted as part of the State of the Phish research.”

The main sources for the data

The report has been based on data collected from three main sources-

• From the millions of simulated phishing emails that were sent through Wombat’s Security Education platform over a one-year period.
• From responses (10,000 plus responses) that have been obtained from the quarterly surveys of Wombat’s database of infosec professionals, representing 16 different industries.
• From a third-party survey covering over 3,000 technology users (from the U.S, UK and Germany)

The themes

The Wombat press release also discusses the four overarching themes, the data presented via which form the basis of the report’s basic structure. These themes, as per the press release, are- 1). “Business intelligence gathered from simulated phishing data and real-world experiences of infosec professionals”, 2). ” Factors that influence click rates and reporting (such as industry and program maturity) and data about use of consequence models”, 3). “Key differences between organizational approaches to end-user risk management in the US and the UK”, and, 4). “End-user knowledge levels related to phishing, ransomware, and smishing (SMS/text message phishing)”.

Focus on regional differences

This year’s State of the Phish™ report focuses on the regional differences between the U.S approach and the UK approach to cyber security education.
The research found that organizations in the UK are less likely to assess how susceptible end users are to phishing attacks while U.S companies work in a different manner. The Wombat press release says- “Wombat found that UK organizations are less likely to assess end users’ susceptibility to phishing attacks; more frequently use passive security awareness and training tools (like videos, posters, and newsletters); and are much more likely to rely on yearly cybersecurity training. The report also reveals that US organizations — which favor interactive training methods delivered on a monthly or quarterly basis — are more than twice as likely to realize quantifiable results from their efforts.”

The other findings

The other key findings of the research report are:

• An increase, for the fourth consecutive year, in the number of organizations assessing as well as training their people as regards protecting themselves from phishing attacks.
• An increase (from 62 percent in 2016 to 79 percent in 2017) in the number of organizations using computer-based training.
• SMS/text message phishing or Smishing showing an emerging threat.
• The prevalence of generational differences; those above 55 seem to outpace millennials as regards recognizing phishing attacks.
• German users being unable to define or identify ransomware.