The 2017 User Risk Report from Wombat Security Technologies has shown that UK and US workers are engaging in risky activities at work and on work devices. Those activities are placing their employers at risk of cyberattacks. The survey also showed the shocking state of security awareness among workers.
Respondents were asked questions about the activities they engaged in at work or on work devices, password security, mobile device habits and general information about cybersecurity.
The threat from phishing is greater than ever before. Phishing emails are being sent by the millions and not a day goes by without a report of a malware or ransomware attack in the media. Yet, even though there is a high risk of an attack, the survey showed that 30% of those surveyed did not even know what phishing is. Wombat explained that 10% of respondents – 200 individuals – could not even guess what phishing is.
The survey was conducted the day before news of the WannaCry ransomware attacks broke. The attacks were widely covered in the media, raising awareness of the malicious file-encrypting malware. However, prior to that attack, an alarming 63% of U.S respondents and 58% of UK respondents did not know what ransomware is.
Many respondents were issued with mobile devices by their employers, but a considerable percentage were engaging in risky behavior. 46% of respondents allowed friends and family members to check their emails on their work device, 43% allowed them to check social media sites and 50% let them play games.
If employees do not know what threats they face on a daily basis, they cannot be expected to take the appropriate action to prevent becoming a victim.
It is easy for individuals in cybersecurity or IT to overestimate understanding of cybersecurity risks by the general public and employees. It is easy to assume in this day and age that employees will be aware that they should not open email attachments from individuals they do not know. They should be aware of what a strong password is and why it is so important and that they need to assume that every email they receive could be malicious. But if employees are not told about the risks and threat level they are likely to make security howlers time and time again.
Wombat reports that only half of companies are providing security training to employees. The findings of this survey show just how important it is for the other 50% to run training courses for their staff as well.