Risk Alert: Most Users Still Don’t Understand Much About Scams, Attacks, and Cyber Risk

Improvement in Cyber-Awareness?

Written by Stu Sjouwerman

The latest data from Proofpoint shows improvement in user cyber-awareness, but organizations have a long way to go to consider users able to help prevent attacks.

You can put every security solution in place that you want and some percentage of malicious emails, web pages, and social engineering scams will still make it through to your users. It would certainly help if your users had – at a bare minimum – a basic understanding of terms used to describe cyber attack methods. While not effective in stopping attacks, having the knowledge that these attack types exist would elevate a user’s awareness to perhaps lower the organization’s risk.

But, according to Proofpoint’s 2019 State of the Phish Report, users lack even the most basic education. When asked very rudimentary questions, the following average percentage of users globally got them wrong or didn’t know the answer:

  • What is Phishing? 34%
  • What is Ransomware? 55%
  • What is Smishing? 77%
  • What is Vishing? 81%

The Proofpoint data points out the need for organizations to assume their users, in general, have zero idea about cyber attacks and acknowledge the inherent risk that brings. When users aren’t educated on cyberthreats, they become easy prey for cybercriminals.


Organizations seeking to elevate their user’s understanding about cyber attacks, the methods used, the role played by social engineering, how they can spot suspicious web pages, text links, and emails – and why they should care – need to implement continuous Security Awareness Training and phishing testing. The training makes users realize the need to be vigilant, providing them with skills to distinguish maliciously-intended content. The testing provides organizations with a feedback loop, helping to identify which users remain a weak link in your user security.

Users today by-and-large have no real understanding of the attacks that will and do make it to the users’ Inbox or web browser. Education is the key to “patching” this insecure part of your security strategy.

Article Link