Seventy-five percent of professionals pose a moderate or severe risk to the security of their company’s data, according to the results of MediaPRO’s third-annual State of Privacy and Security Awareness Report.
We surveyed 1,024 employees across the U.S. to quantify the state of privacy and security awareness in 2018. More people fell into the risk category than 2017 and the number has nearly doubled since the inaugural survey in 2016. This comes despite continued exposure to reports of hacks and data loss.
Survey-takers were polled on a variety of questions based on real-world scenarios, such as correctly identifying personal information, logging on to public Wi-Fi networks, and spotting phishing emails. Based on the percentage of privacy- and security-aware behaviors correctly identified, survey takers were assigned to one of three risk profiles: Risk, Novice, and Hero.
“We live in an age where stories about cybersecurity are constantly swirling, which can actually create a sense of security fatigue,” said Tom Pendergast, our own Chief Security & Privacy Strategist. “But these levels of riskiness are alarming. It only takes one person to click on the wrong email that lets in the malware that exfiltrates your company’s data. Without everybody being more vigilant, people and company data will continue to be at risk.”
The news is filled with reports of cyberattacks, data leaks and ransomware that can cost companies an average of $7.91 million in the U.S. Yet, according to historical data from our inaugural report, the number of individuals who put their organizations at serious risk for a privacy or security incident (those placed on the “Risk” profile) has nearly doubled since 2016.
Other notable findings from this year’s report include:
- Employees this year performed worse than in 2017 across all eight threat vectors measured. Specifically, those surveyed did significantly worse in identifying malware warning signs, knowing how to spot a phishing email, and social media safety.
- Employees in management roles or above showed riskier behaviors than entry- or mid-level employees. Seventy-seven percent of respondents in management showed a general lack of awareness, while 74 percent of those in subordinate positions scored the same.
- Finance sector employees performed the worst of the seven industry segments analyzed, with 85 percent of finance workers showing some lack of cybersecurity and data privacy knowledge.
- Fourteen percent of employees lacked the ability to correctly identify phishing emails. This is a notable increase in respondents who showed risky behaviors when it came to phishing attempts from our 2017 survey, in which only 8 percent of employees struggled in this area.
“The overall results of this report revealed a trend we weren’t happy to see: employees performing worse across the board compared to the previous year,” Pendergast said. “Rather than dwell on how much the average employee still has to learn, this report should be taken as a roadmap for a robust security and/or privacy awareness initiative — one that will ultimately lead to real behavior change.”
Such behavioral changes are not achieved overnight, nor are they earned through one-off employee awareness training on security and privacy topics.
Employee education is only achieved through varied training content and delivery methods, deployed on a repeating basis. When behavior change is achieved, it will be evident in employees combining policy know-how, common sense, and a keen eye for detail as they regularly align their actions with your organization’s security and privacy principles.