Ignorance Isn’t Bliss: How Tech Users Lack Fundamental Cybersecurity Knowledge
Not surprisingly, internet connectivity is at an all-time high.
Also not surprisingly, this has led to a rise in cyberattacks: Phishing and identity theft are prevalent (yet, underreported), and the adoption of best practices continues to lag as nearly two-thirds of tech users lack access to basic cybersecurity knowledge.
These are the key findings of the National Cybersecurity Alliance (NCA) and CybSafe Oh Behave! The Annual Cybersecurity Attitudes and Behaviors Report 2022. The report, which polled 3,000 people across the U.S., U.K., and Canada, was released today ahead of NCA’s Cybersecurity Awareness Month in October.
“Cyberattacks have grown in frequency especially over the last few years, with the pandemic accelerating and forever changing the attack surface against consumers and businesses,” said Lisa Plaggemier, NCA executive director. “However, bad actors continue to successfully claim victims via low-tech (but still effective) methodologies.”
Clean up your passwords
One of the most troubling findings: Weak password hygiene.
Although 45% of respondents said they are always online, just 16% reported that they create passwords more than 12 characters long. Similarly, 40% don’t use strong password combinations, and only 7% use a password manager.
Also, more than a third (37%) of respondents preferred to write passwords in a notebook, 28% store them electronically and 22% “just remember them.”
“It’s alarming because each of these methodologies for password hygiene has massive weaknesses that can ultimately cause passwords to fall into the wrong hands,” said Plaggemier.
Also according to the report:
- 43% of respondents had never heard of multifactor authentication (MFA).
- 37% do not have automatic software updates enabled.
- 35% presumed that their devices are automatically secure.
Simply put, technology users don’t like passwords and struggle overall with “sensible security hygiene,” said Plaggemier.
To defend themselves and their employees, companies should use a combination of MFA, zero-trust policies, and good password hygiene. This means mandating the use of passphrases that are at least 12 characters long. Users must create and maintain unique, multicharacter-sequence passwords for the ever-increasing number of online accounts they log into.
“Regardless of length, if passwords are predictable or lack a differentiation of characters, bad actors have a significantly greater chance of compromising or brute-forcing their way into a respective user’s account,” said Plaggemier.
Phishing and identity theft are the most prevalent attacks
Out of more than 1,700 incidents of cybercrime disclosed by participants, 36% were phishing attacks that led to a loss of money or data and 24% were identity theft. The report also found that:
- Participants in the U.S. were consistently more likely to have been victims of cybercrime.
- 20% of Millennials and 18% of Gen Z had their identity stolen at least once.
- 27% of Millennials and 34% of Gen Z had lost money/data due to harmful cyber activity such as phishing.
- By contrast, 92% of Baby Boomers reported never having their identity stolen, and 88% had never lost money/data due to cyberattacks.
Meanwhile, 45% of romance-scam victims and 48% of cyberbullying victims did not report incidents. And, 26% of identity theft victims and 31% of phishing victims did not report their incidents directly to service providers or law enforcement.
“Phishing attacks are extremely prevalent and, unfortunately, successful,” said Plaggemier.
Thus, it is essential that tech users know how to spot and report phishing attacks. If a link or attachment looks suspicious, scroll past it or delete/mark it as spam or junk mail. And, be wary of communications that ask for immediate action.
“Monitoring for these types of phishing scams will help users and companies avoid clicking on links with malware that can damage your device, and worse, give cybercriminals access to them,” said Plaggemier.
Basic cybersecurity knowledge is lacking
Basic cybersecurity awareness and adoption of tools are also cause for concern. The study found that:
- 62% of users lack access to cybersecurity knowledge, and one-third rely on the help of friends and family.
- 78% of respondents consider staying secure online a priority.
- 57% were worried about cybercrime.
- 46% felt frustrated while staying secure online.
These findings are endemic to the way cybersecurity training is viewed, said Plaggemier. The onset of the pandemic and the blurring of personal and professional lives is “a major wake-up call,” she said. Access was prioritized over security.
“Businesses that put security on the back burner to give people remote access quickly, watched as bad actors took advantage of people’s general ignorance surrounding the dangers they faced by being connected all the time,” she said.
“Now we must course-correct and make fundamental safeguards like MFA and training-as-a-culture more of a necessity than a luxury,” said Plaggemier.
A call to action
There is a culture shift — which needs to be accelerated, said Plaggemier — as organizations increasingly fall victim to phishing and social engineering attacks.
It’s paramount that cybersecurity training becomes “entrenched in digital culture” and emphasized as a proactive and beneficial must-have rather than a punitive and reactive response.
The key to increasing education and adoption of cybersecurity best practices is to implement cyber-safe requirements. Ultimately, tech companies should be prioritizing cybersecurity over a fear of backlash from user friction and implementation, she said.
“Our study tells us that people want to prioritize security and they expect tech companies to do more,” said Plaggemier.
Instead of making MFA optional and framing it as a “just in case” deterrence measure, it should be “table stakes” for all devices that carry and store critical information, she said. This may seem a burden at first, but the amount of data risk it could minimize down the line is worth the initial growing pains.
“Practitioners need to move past the framing of training as punitive and instead create an environment where cybersecurity awareness and education is cultural,” said Plaggemier.
Ultimately, it should be embedded into our workplaces and our daily lives, she said.
“If we can change the messaging and make it easier for the average person to understand deterrence, we can collectively become safer and better prevent cyberattacks from proliferating.”