Understanding Cybersecurity Vulnerability and Behavior
Your cybersecurity posture is only as strong as its weakest link. And in today’s people-centric threat landscape, that means your users. They are your greatest asset, your biggest risk and your last line of defense from threats. That’s because attackers have shifted their focus from infrastructure to people. No matter how well you’re managing your IT infrastructure, you can’t patch your way out of these people-centered, user attacks.
Methodology and Scope
Working with a third-party research firm, we polled more than 3,500 working adults across the United States, Australia, France, Germany, Japan, Spain and the United Kingdom. Our survey questions sought to assess the following:
- How well users understood these commonly used cybersecurity terms
- How well users recognized the limits of technical safeguards in identifying (and ﬁxing) malware-related incidents
- Whether younger workers have an edge over older workers in cybersecurity knowledge
The User Risk Report Results
Topics we discussed with participants included
Those in security and IT must wonder: who doesn’t know what phishing is? The (unfortunate) answer is this: countless numbers of people. Many users are at least vaguely aware of threats from malicious software, email, text messages and phone calls. But they may not know the more formal terms used to describe them.
Our survey asked users to deﬁne key cybersecurity terms, offering three multiple-choice answers and an "I don’t know" option. Some of the user risk survey results showed
- Only 49% of US works correctly defined what the term phishing meant
- Only 18% percent of global workers were able to correctly define what vishing was
Cybersecurity user behaviors
Email security should be a top concern of individuals and organizations alike. But users also need to recognize that decisions they make outside of their inboxes can put them (and your organization) at greater risk of phishing attacks and other threats.
Smartphones and Wi-Fi are potential weak links. Nearly all survey respondents (95%) said they use a smartphone, and 41% said they use their devices for both personal and work activities.
Wi-Fi presents another challenge. Open-access networks are virtually everywhere, and device users readily connect (often to avoid data charges). But public hotspots aren’t the only source of Wi-Fi danger. Working remotely has become more common, which means that home Wi-Fi hygiene can affect the security of your organization’s data and systems. Are those networks adequately protected?
When it comes to end-user cybersecurity, misconceptions are often at the root of risky behaviors. We found that many working adults mistakenly rely on technical safeguards on home and work devices to be failsafe solutions.
- 66% of survey respondents believe that keeping anti-virus software up to date will prevent attackers from accessing their devices
- 51% of users think that their IT teams will be automatically notiﬁed if they accidentally install a virus or other malicious software on their work computer
Passwords and VPNs
Passwords are another source of frustration for security and IT teams. Most concerning: users’ tendency to reuse passwords. Thankfully, we found that more than half of respondents are avoiding the dreaded practice—but by a slim margin. Password reuse, when part of a breach replay attack, is a frequent conduit of email account compromise (EAC) and cloud account compromise. Cyber criminals often use stolen passwords from one account on others, counting on some level of password reuse.
Many, if not most, organizations spell out acceptable-use policies for work-issued devices. But unless access is locked down, there’s no telling whether users are actively following those guidelines. Those who have access freely use their devices for personal activities. If your employees are not well versed in how to safely interact with email, websites and social media, their actions could lead to security risk. Still, we’re betting it’s particularly worrisome to think of your employees’ friends and family having access to your organization’s PCs and smartphones. Though 51% of those with work-issued devices said they deny external access, plenty of people allow their loved ones—including children—to use their devices for a range of activities.
For today’s younger workers, smart devices and applications are second nature. As workforces see an influx of these technology-savvy individuals, some might assume that younger workers will bring with them an innate understanding of cybersecurity best practices. That’s not always the case. Here’s how younger users and the much-discussed millennial generation compare to older employees—including baby boomers—on six key questions.
- 47% of respondents who were 22 years old or younger correctly knew what phishing was compared to 66% of respondents who were 55 and older
- Only 28% of respondents who were 22 years old or younger correctly knew what ransomware was compared to 43% of respondents who were 55 and older
Corporate devices: do you know where they’ve been?
About 50% of respondents said they give friends and family access to their employer-issued devices.
User Risk Report Conclusion and Recommendations
Organizations need to take a more inward, people-centric view of their vulnerabilities and empower users to become a stronger line of defense. Recognize that any user could be a target at any time. Develop a security awareness training program that uses user-level visibility into your Very Attacked People™ (VAPs) and real-life threat intelligence to provide organization-wide and targeted security awareness training.
To that end, here are three foundational steps you can take for a stronger last line of defense:
Commit to building a culture of security
There’s a lot of shared experience across organizations and industries. Our missions, customers and data may be different, but we’re facing the same battle at a fundamental level: the fight to be more secure. And if you want to truly make a change—meaning a mindset and behavior shift that has a positive, day-to-day impact on your organization—you must commit to bringing cybersecurity to the forefront. And that’s true for everyone.
Every user in your organization should know how they can be more cyber-aware. A broad, organization-wide security awareness training program will help you do that.
Answer the three W’s
Along with shared experience, we see many variations across industries, departments and user populations. Understanding what those differences mean for your organization allows you to better combat the specific ways attackers are targeting your users. At a minimum, we suggest you answer these three questions:
- Who in my organization is being targeted by attackers?
- What types of cyber attacks are they facing?
- How can I minimize risk if these attacks get through?
Make time for agility
The first two actions we recommend aren’t "one-and-done" activities. Building a security culture takes ongoing effort and attention. Plan for regular training and awareness activities, but be responsive to changes in the threat landscape (and your organization).
Attackers’ targets change over time. We recommend identifying your VAPs monthly, if not weekly. By pairing granular analysis with organization-wide training, someone who becomes a VAP will have a cybersecurity foundation you can build on with added targeted training.
User Risk Report Conclusion: Next steps
Understanding cyber threats like phishing is important. Having benchmarks to measure your users against them is also valuable. But other organizations’ data isn’t as important as your organization’s data. To improve your own security posture, you must understand your own unique threat climate. Think about:
- Which users have the best and worst security knowledge
- How your organization’s score compares to others in your industry
- Detailed information on your people-centric user risk posture broken down by department, region and more