The phishing simulation and security awareness training firm MediaPro has released its second annual State of Privacy and Security Awareness Report, which reveals 7 out of 10 employees do not have sufficient security awareness to prevent cyberattacks on their organization.
Even though the risk of phishing attacks has been widely publicized in the media over the past few years, and data breaches and cyberattacks have increased significantly, employees are still very bad at identifying potential scams. The lack of security awareness places companies at a high risk of experiencing network compromises and data breaches.
Data for the report came from an August 2017 survey conducted on 1,012 members of the public and employees from varied industries. Questions were asked about common cyberthreats, incident reporting, identifying personal information, access controls, working remotely, social media, cloud computing, and identifying malware and phishing attempts. Based on the responses to the questions, respondents were assigned a risk profile of ‘risk’, ‘novice,’ or ‘hero’.
For the second consecutive year, the average respondent only achieved a risk profile of novice, showing most employees still lack the skills to prevent cyberattacks on their organization.
The security awareness of 20% of respondents was so low they were a major risk to their organization. What is particularly worrying is last year, only 16% of respondents achieved the lowest score. At the top end of the scale there was a noticeable improvement, with 30% of respondents rated heroes, compared to just 19% in 2016.
One of the areas that saw the worst scores was social media. 20% of employees displayed a lack of awareness of safe use of social media channels. 19% of respondents chose risky actions on public WiFi networks, such as connecting to work accounts on unsecured WiFi hotspots.
12% of respondents were unable to identify the signs of a malware infection when prevented with real world examples such as a sluggish computer and anti-virus software being suddenly deactivated. A lack of care about physical security controls was also displayed, with 24% of workers taking risky actions when presented with examples such as letting strangers into their place of work without seeing identification.
There is some good news from the study. Security awareness is improving overall. This year, 7 out of 10 respondents were rated novice or worse, whereas last year 9 out of 10 respondents achieved the two lowest risk profiles. While improvements have been made, there is still significant room for improvement. That will only be possible continuous security awareness training for employees.
“With overwhelming data supporting the fact that employees are the weakest link in privacy and security, companies can’t rely on haphazard, annual training to solve the problem,” said Steve Conrad, MediaPro’s founder and managing director. “Instead, they’ve got to look to make continuous improvements in cybersecurity knowledge and behavior. We’re pleased to see a general improvement in security and privacy awareness this year, but we have our work cut out for us moving forward.”