The State of User Cybersecurity Behavior in 2023
New Internet User Survey Offers a Few Surprises
Now in its third year, the survey conducted annually by the National Cybersecurity Alliance and CybSafe has expanded substantially to include more countries and respondents. The inaugural analysis, conducted in mid-August 2021, surveyed 1,000 U.S. citizens and 1,000 U.K. citizens. The 2023 survey, conducted in late April 2023, included 6,064 individuals in the United States, Canada, the United Kingdom, Germany, France, and New Zealand.
- The National Cybersecurity Alliance is a U.S. non-profit dedicated to creating a more secure interconnected world by educating people in effectively protecting themselves, their families, and their organizations from cybercrime.
- CybSafe is a British company whose team of psychologists, behavioral scientists, and security experts develop leading security research initiatives aimed at better understanding human decision-making and security behavior.
The results of their annual survey are published in the Cybersecurity Attitudes & Behaviors Report, which is released each October at the beginning of Cybersecurity Awareness Month.
About Cybersecurity Awareness Month
Cybersecurity Awareness Month is a collaboration between the U.S. government and private industry to raise awareness about user cybersecurity behavior and the importance of online security. In doing so, it empowers individuals and organizations to protect their personal and sensitive data from cybercrime and other digital forms of crime. The Cybersecurity Infrastructure Agency (CISA) and the National Cybersecurity Alliance partner to provide useful resources and communications that make it easier for organizations to advise their employees and customers about staying safe online.
2023 marks the 20th celebration of Cybersecurity Awareness Month. In recognition of this milestone, a new year-round awareness campaign has been created along with an evergreen Cybersecurity Awareness Month theme. The new Secure Our World theme is intended to remind all of us, throughout 2023, that there are simple ways to protect ourselves, our families, our businesses, and our employers from online threats. Secure Our World focuses on four key behaviors that can have an enormous impact on our online security, including:
-
Using strong passwords for all accounts, and using a password management tool to maintain passwords and keep them secure,
-
Enabling multifactor authentication to sign into accounts whenever it is available,
-
Recognizing and reporting phishing scams (which often lead to ransomware exploits), and
-
Keeping all device software up-to-date, because software updates frequently include security upgrades.
These are the four simple actions every individual and organization must take in order to achieve and maintain fundamental cybersecurity across their devices and online accounts. Interestingly, these user cybersecurity behaviors also figure prominently in the 2023 Cybersecurity Attitudes & Behaviors Report.
Lessons from Three Years of Cybersecurity Surveys
From the first three years of user cybersecurity surveys and reporting, five core security behaviors have emerged. It is no accident that four of these essential behaviors are echoed in the Secure Our World cybersecurity theme above. These five core user cybersecurity behaviors represent solid best practices and warrant immediate adoption.
- Ensuring robust password hygiene by using strong and separate passwords, changing them frequently, and using password management techniques.
- Enabling multifactor authentication (MFA) on all accounts,
- Installing the latest software updates for all devices,
- Reviewing emails for signs of phishing schemes and reporting them appropriately, and
- Backing up data. (This is the only fundamental not included in the 2023 cybersecurity awareness theme.)
Basics of the 2023 User Cybersecurity Behavior Survey
The survey continues to evolve to encompass more employees in addition to independent individuals. This year, significantly, two-thirds of respondents (66%) were employed by organizations, which makes the findings especially useful for employers. All 6,064 respondents were age 18 or over, and all data was collected between April 13 and April 27, 2023.
This year, 93% of participants indicated they live on the Internet, and are online at least once a day, every day. (7% are online less than once a day.) All respondents have multiple online accounts across different websites and applications, with some accounts containing sensitive or personal information. Nearly half of respondents (47%) maintain ten or more sensitive online accounts, and 15% admit they have lost track of how many accounts they have.
Gaps in Cybersecurity Training
It is universally accepted that training employees in cybersecurity awareness and online responsibility is a vital component of an effective and compliant cybersecurity program. As a corollary, individual computer users who are cybersecurity aware tend to seek out effective protections for their online activities.
According to this year’s user survey, however, almost three-quarters of respondents either lack access to cybersecurity training (64%) or do not take advantage of the access they have (10%). Just 26% report having access to training and using that access to obtain training.
Breaking it down further, 35% of employees reported having access to training and taking advantage of it, as did 28% of students. More and more employers and educational institutions are offering cybersecurity training to users in an effort to strengthen security throughout their organizations.
Cybersecurity Training Does Have an Impact
As to the effect of cybersecurity training on those who took advantage of it, the results are reassuring. Half of respondents (50%) felt they became better at recognizing and reporting phishing emails.
More than a third (37%) started using strong passwords and different passwords for each account, and a third (34%) began using multifactor authentication, indicating solid progress in user cybersecurity behavior.
A third (32%) also reported beginning to use a password management tool of some kind to keep track of their passwords and keep them secure.
The fact that training produces more effective security behaviors among many users is highly important. It also reinforces the vital focus on regular cybersecurity training that has become ingrained, finally, in so many organizations throughout the U.S. and internationally.
Who Is Responsible for Protecting Online Data?
This continues to be one of the most compelling questions in the user survey, and 2023 results are far different from 2021 results—due primarily to a key rephrasing of the question.
In 2021, the question related to protecting “your company’s online data.” In 2023, the revised question asked about protecting “your information,” thereby personalizing or individualizing the question.
Compare the difference in user responses:
- In 2021, one-quarter of respondents (25%) named the government as primarily responsible for protecting their company’s online data. 20% named their IT department and 15% their organization as being most responsible for protecting its data online.
- In 2023, the results are markedly different, with two-thirds of users (66%) taking responsibility for protecting their information. That is a significant majority. 41% pointed to the application or platform they used, and 31% to their internet service provider as being primarily responsible for protecting their information online. With the rephrasing, only 16% felt the government was responsible for protecting their data, and just 10% pointed to their employers.
Clearly, the rephrasing of this question has made an enormous difference in user responses. Another influence is the positive effect that employee training in cybersecurity and data protection has had on the response—as supported by the preceding section on the favorable impact of training.
Summary
Many other survey responses and data charts are featured in the 102-page 2023 Cybersecurity Behaviors Report (up from 53 pages in 2021). As future annual surveys are published, we look forward to witnessing how user cybersecurity behavior and user attitudes toward online risks continue to evolve over time.
Cybersecurity Awareness Month, each October, helps organizations raise employee awareness of online risks and cyber threats. Organizations that conduct regular cybersecurity training for their employees have seen the effectiveness of that training demonstrated in these user survey results. Cybersecurity training will continue to play a vital role in helping organizations better protect their data by strengthening the weakest link in the security chain—their employees. The Cybersecurity Awareness Month theme, Secure Our World, will prevail throughout the year to reinforce these and other lessons for all of us who work, play, and live online.