There’s a lot of room for improvement when it comes to educating employees about cybersecurity. Case in point: the cybersecurity awareness training firm KnowBe4′s State of Privacy and Security Awareness Report. This report details the state of employee awareness and practices — and it’s not good news for most organizations.
The report is based on feedback from 1,000 employees in small, midsize and large companies in the United States. The purpose is to determine how much cybersecurity training workers have received and how that information translates into cyber security awareness. The report brings some alarming findings to the surface. For instance, employees surveyed could not identify some common and potentially devastating types of cyber risks and how those risks could adversely affect their employers.
According to the report, nearly one-quarter of employees believe that clicking on suspicious links or attachments presented little or no cyber risk. In reality, it’s one of the most common and effective strategies for cybercriminals. Similarly, less than a third of respondents said that allowing family members and friends to use work devices outside of work hours is risky or presents serious risks. In reality, this practice breaks the human firewall chain and has led to breaches.
What’s perhaps the most unsettling is that many employees who work in vulnerable sectors are not savvy when it comes to these matters. The survey found that only 14% of government employees and 22% of healthcare employees can confidently describe to senior management the negative effects of cybersecurity risks. This compares with 47% and 50% in technology and finance, respectively.
At the same time, the bad actors seem to be tuned into this reality. Due to the pandemic, cybercriminals have been taking advantage of industries that have been hit the hardest, such as healthcare, municipalities, and educational facilities. These hackers also see the pandemic as an opportunity to take advantage of employees that are now working remotely on their personal devices.
According to the report, employees in government and healthcare had the least amount of knowledge of social engineering attacks. Per the report, only 15% of government employees “very well” understood the five types of social engineering threats. Think phishing, spear phishing, business email compromise, vishing, and smishing. Workers in health care and education reported only slightly more awareness of these risks, at 16% and 17%, respectively.
This report and others like it underscore the need for regular employee training on cyber security risks and best practices; company-wide cyber policies outlining expectations for employees; the right preventive tools and the right type and amount of cyber insurance coverage.