The majority of the American public lacks basic cybersecurity knowledge. In a Pew Research Center survey of 1,055 adult internet users, most respondents could answer only five of 13 knowledge questions correctly regarding key cybersecurity terms and concepts. While many users can identify a strong password when they see one and recognize the danger of using a public Wi-Fi network, many struggle with more technical cybersecurity concepts, such as two-factor authentication or whether an email they received was spoofed.
Despite the positive impact of good internet “hygiene,” the cybersecurity habits of the average user are lacking in many critical areas. What makes this worse is that, for the most part, these may be the very people working on your network!
These kinds of survey results shed light on the terrifyingly low level of knowledge about cybersecurity that is demonstrated by the average employee. This stands in stark contrast to the common perception of cybersecurity professionals, who tend to overestimate the knowledge of the general public regarding cybersecurity concerns. The discrepancy between what professionals and senior management think and what end users know and practice could be significant; this may be the reason why few organizations historically have had cybersecurity awareness training programs for their employees.
As security becomes increasingly complex, organizations are being tasked with making sure that everyone — not just IT personnel — is on the lookout for any threats. In today’s multi-cloud environment, breaches and hacks are able to come from all directions. From a security aspect, the “human factor” (human error) is the weak link for any cybersecurity initiative. But are all companies preparing their users for success? And are employees being trained to understand cybersecurity concepts and concerns?
Global spending on security awareness training for employees is predicted to reach $10 billion by 2027, according to the Security Awareness Training Report by Cybersecurity Ventures. As FPA works more and more in the “security” arena, I’m happy to report that we’re also starting to see the landscape change. Along with increasing interest in protecting networks from internal and external vulnerabilities, as well as performing deep-dive security assessments, we’re seeing senior management become receptive to the idea of a more formal/ongoing security awareness training processes for their staff.
Gone are the days of someone just being able to work on a machine; expectations are changing as clients increasingly see the value of investing in their staff to help them become better and more aware cyber citizens. The more cyber-aware employees become, the more protected your network will be.
From an IT pro perspective, the reports highlight a number of risks that employers should be cognizant of, including employees using work devices for personal activities like online shopping and playing games. Needless to say, employees and employers need to do a better job of managing their internet “hygiene” as the Internet of Things (IoT) further complicates the security landscape. You also can evaluate your cybersecurity knowledge by taking a brief quiz from the Pew Research Center.
If your organization doesn’t have a formal, ongoing security awareness training program in place, we’d strongly suggest you consider one. If you’d like to learn more about FPA’s managed user security awareness training program, feel free to contact me.