Social media and remote working are the least understood end-user security issues among businesses, according to a report from IT security firm Wombat.
The report evaluated nearly 20 million questions asked and answered in Wombat's security education platform over the past two years, and highlights both the areas end users struggle with the most and the least.
The top problem area for end users, with 31 percent of questions missed, is safe social media use, yet only 55 percent of security professionals assess employee knowledge on this topic.
"I found it concerning that 37 percent of users in the retail industry missed questions within our protecting and disposing of data securely module. Given that most retailers are under PCI compliance requirements, I expected these users to perform better here," Trevor Hawthorn, chief technology officer of Wombat Security, told eWEEK. "I suspect that these numbers are due to the transient and temporary nature of in-store employees. Training that is long, video-based or in person is also probably going to be an issue for this young, hourly workforce—short interactive training works best in these settings."
He noted retail also came in third in terms missing questions within social media, indicating there is a lot of work to be done there as well. Hawthorn said social media use—both consumption and posting/sharing—is hard, if not impossible, for organizations to control.
"Even if the organization filters it on the network, I promise you the employees are in their cubes, at lunch, at home, on their phones," he said. "There are both technical security risks with social media, like malicious links, but there are also competitive risks due to oversharing, as well as reputation or brand risks if an employee is posting comments that reflect poorly on the organization."
While end users' ability to protect confidential information scored highest in health care, 31 percent of questions on the topic were missed by those in the industry.
"I think that ransomware will continue to be a threat. Ransomware has generated enough buzz that a lot of people know about it, and I think it will be less damaging over time. SMB and low-budget IT shops will continue to struggle, however," Hawthorn said. "Further down the road, I can see malware that doesn't attack a user's system but rather … forces the user's machine to interact with a cloud provider to expose the user's files with the attacker."