We’ve observed, repeatedly, how individual employees can bring malware into company systems without intending to. How they can invite cybercriminals to steal company data by being too trusting.
We’ve talked about employees being the weakest link in the security chain and the importance of cybersecurity awareness training in strengthening that link by changing employee attitudes about cybersecurity.
For the first time, two data-driven organizations in the U.S. and U.K. have reached across the Atlantic to conduct a survey asking individuals directly about their attitudes and behaviors related to cybersecurity.
Inaugural Report Released October 2021
In anticipation of Cybersecurity Awareness Month, the National Cybersecurity Alliance and CybSafe teamed up to survey 2,000 individuals on their attitudes about cybersecurity and their resultant behaviors. Conducted in mid-August, the survey engaged 1,000 U.S. citizens and 1,000 U.K. citizens. In terms of demographics, the majority were employed (54%) or retired (22%), white (74% U.S., 88% U.K.), and female (54%). In the U.S., 43% had an Associate degree or higher and in the U.K. 34% had a college degree. The survey resulted in the first Annual Cybersecurity Attitudes and Behaviors Report 2021.
The National Cybersecurity Alliance is a U.S. non-profit dedicated to creating a more secure interconnected world by educating people in effectively protecting themselves, their families, and their organizations from cybercrime.
CybSafe is a British company whose team of psychologists, behavioral scientists, and security experts develop leading security research initiatives aimed at better understanding human decision-making and security behavior. Together, they have published the inaugural report on this unique survey. We look forward to more.
So, Whose Job Is It, Really?
One of the most interesting insights from the survey, we believe, has to do with who is perceived to be responsible for keeping company data safe.
Specifically, the question was asked, “Whose main responsibility is it to protect your workplace’s online information?”
Only survey participants who were employed on a full-time or part-time basis were asked this question, to ensure that employees would be replying in the context of their company/employer. This constituted 55% of the total survey group, or 1,105 individuals out of the total 2,000.
Responses ranged from Most Responsible to Least Responsible. Surprisingly, three responses were virtually tied for first when the top two categories were combined to include “Most Responsible” and “Second Most Responsible” for protecting the organization’s online information. Survey respondents placed primary responsibility squarely and equally on their Organizations, their IT Departments, and their Governments.
It gets more interesting when we look exclusively at the “Most Responsible” category. In this singular view, one quarter of respondents (25%) named the Government as primarily responsible for protecting their company’s online data. One fifth (20%) named their IT Department as primarily responsible. By comparison, just 15% named their Organization as being most responsible for protecting its data online.
The Government is Responsible? An entity everyone loves to hate, the Government is guilty of all manner of sins—and now is responsible for poorly protecting the online data of public and private companies in the U.S. and U.K. Why the protection of online company data is laid at the Government’s feet is intriguing. In addition, with many citizens of the opinion that Government is already excessively involved in regulating businesses, it is interesting that some seem to think Government should be even more involved in business concerns.
However, there’s an even more surprising response to the question of who is mainly responsible for protecting an organization’s data online. By far the greatest proportion of respondents (40%) believe that they, as employees, have the least responsibility for protecting online data for their workplace.
Which brings us back to the concept of the weakest link, and offers another reason for that weakness—specifically, a perceived lack of employee responsibility for data protection. (Sounds like it might be time to dust off that cybersecurity training manual and schedule some training.)
The chart below shows all responses to this compelling question regarding responsibility for data protection. The chart is presented on page 18 of the Annual Cybersecurity Attitudes and Behaviors Report 2021.
National Cybersecurity Alliance Point of View
As part of Cybersecurity Awareness Month, the National Cybersecurity Alliance hosted a webinar entitled Cybersecuring America: Our Shared Responsibility.
In introducing the webinar, the NCA said, in part, “After a large number of recent high-profile cyberattacks, government and industry leaders are taking necessary steps to improve our nation’s cybersecurity. However, no initiative can exist on its own. Security efforts require well-coordinated public and private approaches to ensure that every part of our interconnected society is secure.”
The NCA website offers useful cybersecurity information for businesses and individuals. Prominently displayed in the business section, at the beginning of guidance debunking ten common misconceptions about cybersecurity, is a reminder that empowering employees with the resources and knowledge they need to protect their organizations from cyber threats is one of the best defenses a company can have.
Other Attitudes About Cybersecurity
In addition to the surprising attitudes about cybersecurity responsibility, the 2021 Report offers other insights as well.
The survey asked questions related to what is commonly considered seven core behaviors in support of better cybersecurity. These are (1) creating strong passwords, (2) using password management strategies, (3) using multi-factor authentication or MFA, (4) installing the latest software and applications, (5) checking email messages for their legitimacy, (6) reporting phishing emails, and (7) backing up data. We’ve addressed three of them here.
Almost one-third (31%) of respondents indicated they keep their online passwords written down in a notebook, as shown in this bar chart.
However, more than one quarter (26%) claim they simply remember their passwords without having to record them. While some of these respondents may have photographic memories, we suspect that many use the same passwords for all online accounts or use super-simple passwords, such as birthdays or password123, for example.
Either of these tactics is considered poor password management when it comes to keeping data secure and private—whether it’s your company’s information or your own personal data.
Software updates often include security improvements, which is why it’s so important to keep software applications current. This is especially true for the 93% of respondents who confirmed that they are online every day.
When asked “How often do you install the latest updates and software when notified they are available?” here are the responses received:
- An impressive 44% indicated they Always install the updates—which is great news for those individuals and their organizations
- Another quarter (24%) said they Often install the updates when notified they’re available
- However, nearly as many (21%) claim they Sometimes install them, which is not so good
- And then there’s the 10% who either Rarely or Never install software updates or claim they don’t know how to do it.
Fortunately, some large vendors proactively push software updates directly to their users’ devices rather than sending notifications that an update is available for the user to install (and hoping they do it).
When respondents were asked how often they back up their most important data, the answers were encouraging. Almost one-third (30%) back up their data Always or Very Often. Kudos! Another 15% have turned on Automatic Backup on their devices so they don’t have to remember to do backups.
And another third (30%) Sometimes backup their most important data. This means that new data can accumulate over time and be at risk of ransomware and malware until a backup is performed. Even more disturbing, however, are the 15% who Rarely or Never backup data or claim they don’t know how to do so.
In recent years, several cloud storage providers have been working to make those data backups as easy as possible—although not all survey respondents trust in the security of cloud storage.
Many other survey responses and data charts are featured in the 53-page Annual Cybersecurity Attitudes and Behaviors Report 2021. Some are encouraging, more are concerning. There are also disconnects between what individuals believe about their cybersecurity behavior and what behaviors they actually exhibit. In other words, some are not walking the talk. As future annual surveys are published, it will be interesting to see whether user attitudes and behaviors about cybersecurity and data protection evolve over time.
From the inaugural survey and report, we came away with the perspective that maintaining effective cybersecurity, data security, and data privacy are still unfamiliar behaviors to many employees. We were reassured that Cybersecurity Awareness Month serves an important purpose in helping organizations raise awareness of online risks and cyberthreats among their employees. And, finally, we remain confident that regular cybersecurity awareness training will continue to play a vital role in helping organizations better protect their data by strengthening the weakest link in the security chain.