With phishing, ransomware, and other cybersecurity threats as front-page news, it stands to reason that the average end-user has a good idea of the dangers that are lurking in email, social media, and beyond… right? Not so fast. The new User Risk Report from Wombat Security, a division of Proofpoint, shows that InfoSec professionals are likely overestimating how cyber-savvy employees are—and underestimating how users’ personal habits influence organizational risk.
Wombat’s second annual User Risk Report reveals the results of an international survey of more than 6,000 working adults across six countries: the US, UK, Germany, France, Italy, and Australia. This third-party survey included questions designed to gather data about end-user actions and capabilities that affect device, data, and system security, including the following:
- Understanding of cybersecurity fundamentals (such as phishing, ransomware, and Wi-Fi security)
- Password management and attention to physical security measures
- Use of data protections, such as virtual private networks (VPNs) and file backups
- Application of best practices related to activities such as social media sharing and use of employer-issued devices
Wombat presents global averages of the responses—and notes a few outliers—throughout the study, but the report also includes country-by-country breakdowns in the appendix so you can get a sense of how respondents’ answers varied by region.
Key findings
As with last year’s study, the findings of the 2018 User Risk Report are sometimes heartening, occasionally perplexing, and frequently terrifying—but always enlightening.
Wombat found that, globally, smartphones and home Wi-Fi networks are used by more than 90% of working adults, and 39% of respondents said they blend work and personal activities on their smartphones. Unfortunately, many of these individuals are not taking basic security measures, which is putting organizations at greater risk (particularly those that support remote and/or traveling workers).
Following are a few key areas for improvement:
- 44% of global respondents do not password-protect their home Wi-Fi networks, and 66% have not changed the default password on their Wi-Fi routers.
- 55% of workers who use employer-issued devices at home allow family members to use them for things like shopping online and playing games.
- 67% believe using antivirus software and keeping it up to date will stop cyber attacks from affecting their computer.
- Among working adults who do not use a password manager, more than 60% admitted to reusing passwords across multiple online accounts.
Get proactive about user awareness
The User Risk Report shows that working adults around the globe still lack awareness of fundamental cybersecurity topics—including those noted above, as well as phishing, ransomware, and malware. Clearly, it’s time for InfoSec teams to take a hard look at how they are approaching security awareness training and to consider how deeply a lack of cybersecurity education may be hurting organizational security postures.
Quite simply, it’s dangerous to continue making assumptions about what users do and do not know about cybersecurity best practices. What you think employees should know is of little relevance if they simply don’t know it. For cybersecurity to become an ongoing priority and pursuit for your end users, security awareness training must be an ongoing priority and pursuit for your organization.
You can download your free copy of the User Risk Report, which includes country-by-country breakdowns of survey answers, on the Wombat Security website. To hear analysis of more key findings, register now to access the replay of the SecureWorld 2018 User Risk Report web conference, in which panelists discuss the ways end-user behaviors are impacting organizations worldwide and provide tips for mitigating that risk. CPE credits are available.
