I’m not a big fan of the “you can’t fix stupid” mindset that is a popular fallback for IT professionals who are running unsuccessful employee security-awareness training programs. That said, I do understand it. It is easier, after all, to categorize end-user incompetence as incurable than it is to self-examine and determine why cybersecurity efforts aren’t bearing fruit.
I honestly believe overconfidence in user awareness is contributing to the issues organizations are having in moving the dial on employee cybersecurity behaviors. Those of us who work in this industry — who live and talk and read about these topics on an hourly basis — tend to overestimate the knowledge the general public has about security risks and basic best practices. This could be leading infosec professionals to believe that end users “know better” — and, as such, are “stupid” for falling for phishing attacks — when, in fact, they don’t know enough.
Wombat Security’s 2017 User Risk Report, released in June, shows that end users have not yet gotten the message about cybersecurity fundamentals. We surveyed more than 2,000 working adults — 1,000 in the U.S. and 1,000 in the U.K. — who were asked about topics and best practices that are essential to data and network security (interestingly, this survey concluded less than 24 hours before the first reports of the global WannaCry ransomware attack began to spread. As such, the results reflect a relatively “pure” level of awareness, uninfluenced by the increased media exposure generated by WannaCry).
As part of the survey, we repeated two questions that were originally asked of working-age adults for January’s 2017 State of the Phish Report: “What is phishing?” and “What is ransomware?” Even though there had been a lot of talk about phishing and ransomware during the several months between the two surveys, we saw virtually no change in the results: 30 percent of global respondents were unable to identify phishing in basic terms, and 13 percent of those were not even willing to guess at the answer.
Respondents fared even worse on the ransomware awareness front. Fewer than half (37 percent in the U.S. and 42 percent in the U.K.) were able to accurately identify what ransomware is — and 39 percent of U.K. respondents wouldn’t even hazard a guess on this multiple-choice query.
Obviously, the need for good cybersecurity hygiene doesn’t end with email. That’s why we extended the survey to various other topics, including password use (and reuse), social media, open-access WiFi and use of anti-virus software. We found several points of concern:
19 percent of U.K. respondents and 12 percent of U.S. participants repeat the same one or two passwords on all of their online accounts.
57 percent of U.S. respondents believe that social media platforms like Facebook and Twitter approve business pages before they are posted (just 25 percent of U.K. participants believed the same). 54 percent of U.S. respondents (vs. 27 percent of their U.K. counterparts) believe that if they are in a place they trust — like an international airport or a high-end hotel — they can trust the location’s free WiFi service to keep their information secure.
58 percent of U.S. survey participants and 37 percent of U.K. respondents believe that up-to-date anti-virus software can prevent them from being impacted by a cyberattack.
These and other statistics revealed in the User Risk Report show that there is still much to be done on the security awareness front, as well as the cybersecurity education front. These two pieces — awareness and training — work together to raise cyber hygiene, and you cannot expect to see behavior change without both components. It’s critical that end users be conscious of the threats they are likely to encounter on a day-to-day basis — both at work and at home — and that they be taught how to recognize and avoid attacks, apply best practices that will keep their data and devices safe, and report instances that are out of the ordinary.
Instead of assuming too much about your end users and writing them off, consider rewriting your awareness and training approach. As a community of experts, we have an obligation to increase awareness and then, of course, knowledge overall, so that the next User Risk Report shows improved results.