Organizations can invest heavily in cybersecurity and implement multiple layers of defense to stop malicious actors from gaining access their networks, but those defenses can still be breached, and in the majority of cases those breaches are due to an error by a single employee. The risk of employees making mistakes cannot be eradicated, but it can be managed and reduced by providing training on cybersecurity and introducing cybersecurity protocols.
Train employees how to recognize and avoid threats make sure everyone is aware of cybersecurity best practices that they need to follow and the risk of a successful cyberattack and data breach can be significantly reduced, and it has never been more important to do so. Cyberattacks have been increasing and cybersecurity risks are similarly rising due to an expanding attack surface.
The current level of cybersecurity risk was recently explored in the 2022 EY Human Risk in Cybersecurity Survey, which was conducted on 1,000 employed Americans to find out more about their cybersecurity awareness and whether cybersecurity best practices were being followed. The survey highlights generational differences when it comes to cybersecurity and the risks that many employees are taking using their work devices, despite being given cybersecurity training.
The survey revealed 83% of employees were aware of their organization’s cybersecurity policies, 84% of respondents felt they were prepared to avoid cybersecurity risks at work, with more than three-quarters of employees (76%) considering themselves to be knowledgeable about cybersecurity; however, only one-third of respondents (35%) considered themselves to be very prepared to deal with cybersecurity risks and less than half of respondents said they were very confident in their ability to follow specific cybersecurity best practices at work. Only 50% said they used strong passwords, 43% said they keep their devices up to date, 41% were confident about avoiding phishing threats, 38% said they could avoid ransomware, and only 32% said they encrypted their data.
Interestingly, younger generations of workers that have grown up in an online environment and have a largely digital lifestyle were more likely to take cybersecurity risks than older generations. For instance, 58% of Gen Z respondents and 42% of millennials said they avoided applying security updates for as long as possible, compared with 31% of Gen X respondents and 15% of baby boomers.
When it comes to password management it was a similar story, with 30% of Gen Z and 31% of millennials more likely to use the same passwords for their professional and personal accounts than Gen X (22%) and baby boomers (15%). Gen Z (48%) and millennials (43%) were also much more likely to accept web browser cookies on work devices most of the time than Gen X (31%) and baby boomers (18%). Younger generations were more likely to take personal cybersecurity more seriously than when at work. Almost half of Gen Z respondents and one-third of millennials said they take cybersecurity protection on their personal devices more seriously than on their work devices. While the majority of respondents said they would report a potential breach or cybersecurity failure to their IT department or supervisor, worryingly 16% of employees would try to resolve the problem themselves. Education should focus on the importance of reporting, and employers should reward good cybersecurity practices and turn mistakes into a teaching moment.
The survey confirmed that an effective strategy for cybersecurity training is to make it role specific. Respondents that received role-specific training in the past 12 months were significantly more likely to implement cyber-safe practices at work, such as setting strong passwords, updating software, encrypting data, and avoiding phishing and ransomware threats than employees who had not had any education for more than a year. Business leaders can improve engagement by making cybersecurity training more personal, not just providing training about how to be secure at work, but how to be secure in their personal lives, and to provide guidance that is immediately actionable to improve security and reduce risk.
It is also important to make it as easy as possible for employees to follow cybersecurity best practices. Password practices are often poor, so employers should provide a password manager to make it as easy as possible for employees to create strong passwords (and not have to remember them). As with making training personal, consider offering a password manager for personal use as well, especially considering the high numbers of employees who use the same passwords for work and personal accounts.
“Companies are investing to embed cybersecurity in every business unit as they digitally transform, but software, controls, processes and protocols are only part of the equation for minimizing cyber risk,” said Tapan Shah, EY Americas Consulting Cybersecurity Leader. “Increasing enterprise-wide security also requires a holistic focus on the human, engaging every employee and embedding safety checks and protocols that make the risks tangible in their professional and personal lives.”