User Risk Report Shows Marked Lack of Security Awareness Among Workers
Earlier this week, we released our 2017 User Risk Report, which features the results of a survey of more than 2,000 working adults — 1,000 in the US and 1,000 in the UK — who were asked about cybersecurity topics and best practices that are fundamental to data and network security. What we found out about the personal habits of these individuals was sometimes heartening, occasionally perplexing, and frequently terrifying — but always enlightening.
An interesting note before you dive into the highlights below: Our survey concluded less than 24 hours before the first reports of the global WannaCry ransomware attack began to spread. As such, the responses of the participants were not influenced by the increased media exposure that resulted from WannaCry.
On Phishing and Ransomware
Like everyone in the cybersecurity space, we’re always interested to gain insights into what end-users do and do not know about phishing attacks. As such, we repeated two questions that we originally asked of survey respondents for our 2017 State of the Phish™ Report: “What is phishing?” and “What is ransomware?”
We did not see a big change in results over these past several months. Though there is a positive to the fact that 70% of US and UK respondents were able to identify phishing in basic terms, there are still 30% who don’t know what it is (with 13% of those not even willing to take a guess).
Recognition of ransomware was, unfortunately, even lower (an important point given that WannaCry started its spread just 24 hours after the close of our survey). As you’ll note in the image below, fewer than half of respondents (37% in the US and 42% in the UK) were able to accurately identify what ransomware is — and 39% of UK respondents wouldn’t even hazard a guess on this multiple-choice query.
Question: What Is Ransomware?
We find it interesting to equate this to people, not just percentages. Putting these results into the context of a 2,000-person organization:
- 3 out of every 10 — or 600 people — would have no clue what phishing is.
- 6 out of every 10 — or 1,200 people — would not be able to tell you what ransomware is.
If you are assuming that your employees know what phishing and ransomware are, it’s probably time to reevaluate that. And it’s certainly time to recognize that, even if they are able to correctly point out the definitions of these terms, awareness of the threats doesn’t equate to knowledge of real-world recognition and avoidance techniques.
See more about what respondents in the US and UK know (and don’t know) about topics like open-access WiFi, VPNs, and social media safety.
On Misuse of Corporate Devices
A prime side effect of today’s technology-driven workforce is that organizations must place a lot of trust in their employees to “do the right thing” with the devices, data, and systems they are given access to. We wanted to know: Is that trust misplaced?
There was quite a large difference in the number of employees who say they regularly use a corporate-issued device at home (71% in the US, 39% in the UK) — which reflects a work life/personal life separation with UK employees that we first caught a glimpse of in our 2017 State of the Phish survey. But what we really wanted to know was what personal activities these employees use those devices for. As you’ll see from the charts below, organizations are not as secure as they might think they are:
Question: What Personal Activities Do You Perform on Your Corporate Device?
We dug even deeper by asking these same employees what they allow their friends and family to do on their corporate devices. But for that…you’ll have to download the report. (Spoiler alert: we were floored by the responses.)