Employees Need Help Recognizing and Thwarting Cybersecurity Risks
Download this article in PDF format.
Cybersecurity training is an ongoing concern for organizations in a world where high-profile online security breaches continue to make headlines. Lesser-known breaches are also happening daily and pushing organizations to invest more money, time and effort into arming employees with the information and training they need to be able to identify and ward off attempts by cybercriminals.
The threat is real. According to the FBI, the volume of complaints about cyberattacks that its Cyber Division receives is up to about 4,000 a day. This represents a 400% increase over pre-COVID numbers. Interpol is also seeing an alarming rate of cyberattacks aimed at major corporations, governments and critical infrastructure.
“The newest vulnerabilities target remote workers,” Nextgov points out, “including millions of Americans currently working from home due to coronavirus spread [and using] unpatched virtual private networks and cloud collaboration services.”
Getting Employees to Step Up
Employees don’t have to become security and privacy experts, but their responsibilities with privacy and/or legal matters need to be made clear, says KnowBe4. With its 2021 State of Privacy and Security Awareness Report, the organization wanted to find out just how much cybersecurity and privacy best practices training employees are receiving. Working with Osterman Research, the company conducted a survey of 1,000 employees in the U.S.
It found that:
- Lack of confidence is a core issue. While employees are generally confident with regard to password best practices, they do lack confidence in a number of other areas related to cybersecurity. “A lack of confidence leads to security failures,” KnowBe4 reports. Key issues include the inability to properly identify social engineering attacks, articulate security expectations for privileged vs. “standard” users and explain how cybersecurity risks could negatively impact their employers.
- The finance industry gets more attention. According to the survey, 91% of employees in this sector have received some form of training (versus 88% in IT and 76% in healthcare). KnowBe4 also reports that industries with the lowest risk provide the most training, “suggesting that the more aware employees are of various threats the better able they are to protect against them.”
- Many employees are not aware of various security risks. The survey found that just 48% of employees believe it is “likely” or “very likely” that their mobile devices could become infected with malware if they click on a suspicious link or attachment in an email. And 24% believe that clicking on a suspicious link or attachment in an email represents little or no risk. “We discovered that employees in government, healthcare, and education have the least understanding about various social engineering threats,” KnowBe4 points out.
- There’s a connection between training frequency and risk perception. KnowBe4 says employees who are trained once per month are 34% more likely to believe that clicking on a suspicious link or attachment in an email is risky compared to employees who receive training no more than twice per year. “Employees who receive training once per month are 26% more likely to believe that reusing passwords is a risky behavior,” it adds, “[versus] employees who receive training no more than twice per year.”
- Many employees need training about the problems associated with basic, risky behaviors. For example, KnowBe4 says one-third of employees still believe it’s safe to plug a USB drive they received at a trade show into their own computers. And, 45% say there’s no need for additional safeguards regarding cybersecurity because they don’t work in an IT department.
Fostering a Culture of Security
Stating that security awareness training needs to be made “relevant and memorable,” KnowBe4 says that despite the extensive digitization of organizations and society at large, most employees still struggle with the fundamental basics. “Organizations need to focus not just on providing information but making it actionable and fostering a culture of security,” it recommends. “Only then can long-lasting changes be made that can reduce risk by having employees make informed choices.”