blog-logo.png

A BLOG ABOUT CYBER SECURITY

Wombat Security is a leader in security awareness and training. Our blog covers the latest cyber security news, insights, and best practices. We arm infosec professionals with the knowledge and tools they need to improve end-user behaviors and reduce organizational risk.

User Risk Report Shows Marked Lack of Security Awareness Among Workers

Posted by Gretel Egan on Jun 15, 2017 1:40:36 PM

Topics: Cyber Threats, Risk Management, Phishing, Research and Analysis, All Posts, Ransomware

Wombat_Blog_UserRisk_June2017.jpgEarlier this week, we released our 2017 User Risk Report, which features the results of a survey of more than 2,000 working adults — 1,000 in the US and 1,000 in the UK — who were asked about cybersecurity topics and best practices that are fundamental to data and network security. What we found out about the personal habits of these individuals was sometimes heartening, occasionally perplexing, and frequently terrifying — but always enlightening.

An interesting note before you dive into the highlights below: Our survey concluded less than 24 hours before the first reports of the global WannaCry ransomware attack began to spread. As such, the responses of the participants were not influenced by the increased media exposure that resulted from WannaCry.

On Phishing and Ransomware

Like everyone in the cybersecurity space, we’re always interested to gain insights into what end-users do and do not know about phishing attacks. As such, we repeated two questions that we originally asked of survey respondents for our 2017 State of the Phish Report: “What is phishing?” and “What is ransomware?”

We did not see a big change in results over these past several months. Though there is a positive to the fact that 70% of US and UK respondents were able to identify phishing in basic terms, there are still 30% who don’t know what it is (with 13% of those not even willing to take a guess).

Recognition of ransomware was, unfortunately, even lower (an important point given that WannaCry started its spread just 24 hours after the close of our survey). As you’ll note in the image below, fewer than half of respondents (37% in the US and 42% in the UK) were able to accurately identify what ransomware is — and 39% of UK respondents wouldn’t even hazard a guess on this multiple-choice query.

Question: What Is Ransomware?

WhatIsRansomware_Results.png


We find it interesting to equate this to people, not just percentages. Putting these results into the context of a 2,000-person organization:

  • 3 out of every 10 — or 600 people — would have no clue what phishing is.
  • 6 out of every 10 — or 1,200 people — would not be able to tell you what ransomware is.

If you are assuming that your employees know what phishing and ransomware are, it’s probably time to reevaluate that. And it’s certainly time to recognize that, even if they are able to correctly point out the definitions of these terms, awareness of the threats doesn’t equate to knowledge of real-world recognition and avoidance techniques.

color_bar.png

See more about what respondents in the US and UK know (and don’t know) about topics like open-access WiFi, VPNs, and social media safety.

Read the Report

color_bar.png

On Misuse of Corporate Devices

A prime side effect of today’s technology-driven workforce is that organizations must place a lot of trust in their employees to “do the right thing” with the devices, data, and systems they are given access to. We wanted to know: Is that trust misplaced?

There was quite a large difference in the number of employees who say they regularly use a corporate-issued device at home (71% in the US, 39% in the UK) — which reflects a work life/personal life separation with UK employees that we first caught a glimpse of in our 2017 State of the Phish survey. But what we really wanted to know was what personal activities these employees use those devices for. As you’ll see from the charts below, organizations are not as secure as they might think they are:

Question: What Personal Activities Do You Perform on Your Corporate Device?

WhatDoYouDoWithCorporateDevices.png

 

We dug even deeper by asking these same employees what they allow their friends and family to do on their corporate devices. But for that…you’ll have to download the report. (Spoiler alert: we were floored by the responses.)

icon-book.png

Try Our Interactive Security Awareness Training Modules

Our 25+ interactive training modules in topics like Email Security, URL Training, Mobile App Security, and more are proven to change the behavior of end users and reduce risk.

Try Our Modules