Now in its third year, the survey conducted annually by the National Cybersecurity Alliance and CybSafe has expanded substantially to include more countries and respondents. The inaugural analysis, conducted in mid-August 2021, surveyed 1,000 U.S. citizens and 1,000 U.K. citizens. The 2023 survey, conducted in late April 2023, included 6,064 individuals in the United States, Canada, the United Kingdom, Germany, France, and New Zealand.
The results of their annual survey are published in the Cybersecurity Attitudes & Behaviors Report, which is released each October at the beginning of Cybersecurity Awareness Month.
Cybersecurity Awareness Month is a collaboration between the U.S. government and private industry to raise awareness about user cybersecurity behavior and the importance of online security. In doing so, it empowers individuals and organizations to protect their personal and sensitive data from cybercrime and other digital forms of crime. The Cybersecurity Infrastructure Agency (CISA) and the National Cybersecurity Alliance partner to provide useful resources and communications that make it easier for organizations to advise their employees and customers about staying safe online.
2023 marks the 20th celebration of Cybersecurity Awareness Month. In recognition of this milestone, a new year-round awareness campaign has been created along with an evergreen Cybersecurity Awareness Month theme. The new Secure Our World theme is intended to remind all of us, throughout 2023, that there are simple ways to protect ourselves, our families, our businesses, and our employers from online threats. Secure Our World focuses on four key behaviors that can have an enormous impact on our online security, including:
Using strong passwords for all accounts, and using a password management tool to maintain passwords and keep them secure,
Enabling multifactor authentication to sign into accounts whenever it is available,
Recognizing and reporting phishing scams (which often lead to ransomware exploits), and
Keeping all device software up-to-date, because software updates frequently include security upgrades.
These are the four simple actions every individual and organization must take in order to achieve and maintain fundamental cybersecurity across their devices and online accounts. Interestingly, these user cybersecurity behaviors also figure prominently in the 2023 Cybersecurity Attitudes & Behaviors Report.
From the first three years of user cybersecurity surveys and reporting, five core security behaviors have emerged. It is no accident that four of these essential behaviors are echoed in the Secure Our World cybersecurity theme above. These five core user cybersecurity behaviors represent solid best practices and warrant immediate adoption.
The survey continues to evolve to encompass more employees in addition to independent individuals. This year, significantly, two-thirds of respondents (66%) were employed by organizations, which makes the findings especially useful for employers. All 6,064 respondents were age 18 or over, and all data was collected between April 13 and April 27, 2023.
This year, 93% of participants indicated they live on the Internet, and are online at least once a day, every day. (7% are online less than once a day.) All respondents have multiple online accounts across different websites and applications, with some accounts containing sensitive or personal information. Nearly half of respondents (47%) maintain ten or more sensitive online accounts, and 15% admit they have lost track of how many accounts they have.
It is universally accepted that training employees in cybersecurity awareness and online responsibility is a vital component of an effective and compliant cybersecurity program. As a corollary, individual computer users who are cybersecurity aware tend to seek out effective protections for their online activities.
According to this year’s user survey, however, almost three-quarters of respondents either lack access to cybersecurity training (64%) or do not take advantage of the access they have (10%). Just 26% report having access to training and using that access to obtain training.
Breaking it down further, 35% of employees reported having access to training and taking advantage of it, as did 28% of students. More and more employers and educational institutions are offering cybersecurity training to users in an effort to strengthen security throughout their organizations.
As to the effect of cybersecurity training on those who took advantage of it, the results are reassuring. Half of respondents (50%) felt they became better at recognizing and reporting phishing emails.
More than a third (37%) started using strong passwords and different passwords for each account, and a third (34%) began using multifactor authentication, indicating solid progress in user cybersecurity behavior.
A third (32%) also reported beginning to use a password management tool of some kind to keep track of their passwords and keep them secure.
The fact that training produces more effective security behaviors among many users is highly important. It also reinforces the vital focus on regular cybersecurity training that has become ingrained, finally, in so many organizations throughout the U.S. and internationally.
This continues to be one of the most compelling questions in the user survey, and 2023 results are far different from 2021 results—due primarily to a key rephrasing of the question.
In 2021, the question related to protecting “your company’s online data.” In 2023, the revised question asked about protecting “your information,” thereby personalizing or individualizing the question.
Compare the difference in user responses:
Clearly, the rephrasing of this question has made an enormous difference in user responses. Another influence is the positive effect that employee training in cybersecurity and data protection has had on the response—as supported by the preceding section on the favorable impact of training.
Many other survey responses and data charts are featured in the 102-page 2023 Cybersecurity Behaviors Report (up from 53 pages in 2021). As future annual surveys are published, we look forward to witnessing how user cybersecurity behavior and user attitudes toward online risks continue to evolve over time.
Cybersecurity Awareness Month, each October, helps organizations raise employee awareness of online risks and cyber threats. Organizations that conduct regular cybersecurity training for their employees have seen the effectiveness of that training demonstrated in these user survey results. Cybersecurity training will continue to play a vital role in helping organizations better protect their data by strengthening the weakest link in the security chain—their employees. The Cybersecurity Awareness Month theme, Secure Our World, will prevail throughout the year to reinforce these and other lessons for all of us who work, play, and live online.