Serious pensive young employee working at laptop showing employee awareness of security risks

Report Shows Appalling State of Employee Awareness of Common Cyber Security Risks

The cybersecurity awareness training firm KnowBe4 released its 2021 State of Privacy and Security Awareness Report detailing the appalling state of employee awareness and practices.

The report includes responses from 1,000 employees in small and midsize businesses (SMBs) and large corporations in the United States.

It attempted to determine how much cybersecurity training the workers received and the impact it had on employee awareness of common cybersecurity risks.

The report found that employees could not identify social engineering attacks, security expectations for standard and privileged users, and how cybersecurity risks could adversely affect their employers.

Employee awareness of cyber security risks lowest in government and healthcare

According to the KnowBe4 employee awareness report, about a quarter (24%) of workers believe that clicking on suspicious links or attachments carries little or no risk.

Similarly, less than a third (31%) of employees believed that allowing family members and friends to use work devices outside work hours is risky or presents serious risks. This practice breaks the human firewall chain and could lead to information disclosure. A similar number (31%) also believed that using the default password on a router represents significant security risks.

While business email compromise or CEO fraud is a growing problem costing millions of dollars, less than a third (31%) of employees understand “very well” and could explain it to others.

Additionally, only 14% and 22% of government and healthcare employees can confidently describe to senior management the negative effects of cybersecurity risks. This number is a far cry from the 47% and 50% in technology and finance, respectively.

Similarly, employees in government and healthcare had the least understanding of social engineering attacks. According to the report, only 15% of government employees “very well” understood the five types of social engineering threats. These security risks include phishing, spear phishing, business email compromise, vishing, and smishing. However, employees in health care and education fared a little better at 16% and 17%, respectively. Faring better, 39% and 41% of employees in finance and technology sectors, respectively, could confidently explain social engineering threats.

COVID-19 disrupted employee cybersecurity training

While cybersecurity training helped create employee awareness, the pandemic disrupted employee training.

Consequently, just over half (55%) of employees received continuous cybersecurity and data privacy training during the pandemic.

Nearly a quarter (23%) had their cybersecurity training stopped at the start of the lockdowns, while 22% had their training halted temporarily and then restarted again during the pandemic.

Government and healthcare had the highest percentage (65% and 59%) of employees who continued receiving cybersecurity training during the pandemic.

KnowBe4, however, recommends continuous cybersecurity training and testing to maintain employee awareness.

According to the company, organizations should “phish your users at least once a month” to identify the phish-prone percentage of workers likely to become victims of phishing attacks.

Cybersecurity training has a positive impact on employee awareness

There is a relationship between cybersecurity training campaigns and their perception of cybersecurity risks.

The finance industry had received the most cybersecurity employee awareness training, with 91% of workers receiving some form of training, compared to 88% in technology, 84% in government, and 76% in healthcare.

According to KnowBe4’s security awareness report, employees who trained once per month were 34% less likely to click on suspicious links or attachments compared to those who received training no more than twice a year. Similarly, they are 26% more likely to believe that password reuse is risky.

Surprisingly, government and healthcare workers received more training, even and continuously during the pandemic, but fared worse than other sectors.

The research, however, failed to explain why increased training failed to translate to more employee awareness in these sectors.

Employees don’t apply what they know in mitigating security risks

Despite understanding the impact of cybersecurity risks, most employees do not practice what they know.

While 52% of employees would likely report a security incident, only 27% probably do so, while 21% are unsure of what they would do or would just refuse to report.

Similarly, while employees also understood the security risks of weak and reused passwords, only less than half (46%) chose using unique passwords on every device and application.

However, a third (34%) believed that simply using special characters like “&” or “$” was the best method of creating a strong password.

Evidently, cybersecurity training positively impacted employees, especially in technology and finance, although not at the desired proportions.

Most importantly, the report shows that continuous employee awareness training was more effective in mitigating cybersecurity risks.