For three years now, MediaPRO, the security awareness training firm, has conducted a yearly study to assess security awareness and knowledge of cybersecurity best practices of employees.
The study determines the vulnerability of employees to different security threats and analyzes their capability to identify phishing threats, potential malware infections, cloud computing and social networking hazards, understanding of best practices regarding working remotely, physical safety measures, and reporting security problems.
The State of Privacy and Security Awareness study was conducted on 1,024 employees from 7 industries. Respondents were required to answer questions associated with all the elements of privacy and security mentioned above.
MediaPRO then categorized the participants according to the number of questions they got right. The categories were:
- Hero – A person who has an excellent understanding of security and is aware how they should safeguard assets.
- Novice – A person who has a fair understanding of the fundamentals of security yet improvement in key areas is necessary.
- Risk – A person who lacks knowledge of risks and best practices and is considered to be a risk to their company.
This year, 25% of the employees were rated as Hero while 75% lacked security awareness, having responded correctly to less than 90% of the questions. The results of the study are noticeably worse than last year.
In 2016, just 16% of employees were categorized as risks. In 2017, the percentage rose to 19% and this year, 30% of employees were categorized as a risk. The percent of heroes likewise dropped year-over-year from 30% in 2017 to 25% in 2018. Study participants rated as novices decreased from 51% in 2017 to 45% in 2018.
Employees were worse at reporting suspicious activities, cloud computing security, detecting physical security threats, identifying personal data, detecting malware infections, and determining potential phishing attacks. One fourth of employees who work remotely or use social media sites took risks as opposed to only one fifth last year.
Employees who hold management positions performed worse than employees in lower positions. 77% of managers lacked security awareness to some degree compared to 74% of employees in lower positions.
It is quite worrisome that employees continue to fail to detect phishing emails, considering that phishing attacks have increased significantly in recent years. In 2017, only 8% of employees did not answer the phishing questions correctly. This year, the percentage had increased to 14%. 58% of participants lacked understanding of email threats, particularly Business Email Compromise (BEC) scams.
Although 8 out of 10 study participants correctly identified the phishing emails, 18% opted to open attachments or click links in messages sent by an unidentified person to determine what they were about. What’s more troublesome is that the employees most vulnerable to phishing attacks were in the financial sector.