Thoughts on the latest phishing report

There is some excellent reading on Proofpoint's 2019 phishing report, including the #1 finding validating "the need to take a people-centric approach to cybersecurity" and that "Cyber attackers are increasingly focusing their attention on people, not technical defense". Agree with that, although I think it is worth noting that the so-called weakest link (that's you & me, thanks very much) is typically tricked into executing a technology exploit, particularly in a phishing-centric view of the world. Apart from pure social engineering eg over the phone, or whaling that requires human intervention, when we click on something or plug a weaponised USB stick in, its a technology process that is kicked off. It seems a bit rough to me to entirely blame the person for this?

Anyhow, it was disappointing to see on the same page that they framed their discussion in terms of infosec pros, failure rates, industry averages and what was useful to program admins. And later on, they talk about the most "successful" phishing campaigns as those having the highest failure rates! Then instead of talking about how people get better given the right circumstances, they talk about failure rates decreasing. I get that they're selling a phishing SaaS, but I think we would benefit from looking at the positives as well as the negatives. How hard would it be to also look at what people are really good at, and how that is developing to reduce risk every year? We don't have to live in a world of failure.

So page 14 "carrot vs. stick" aka positive reinforcement vs. punishment is particularly interesting to us, and we are thrilled to see a move away from punishment :-) Let’s keep going in that direction.