The title kind of speaks for itself, but I found this statistic to be very surprising because you’d think that employees would be briefed on how to properly handle data or items that could reveal someone’s personal information. “Respondents were asked a variety of questions based on real-world scenarios, such as correctly identifying personal information, best practices for logging onto public Wi-Fi networks and spotting phishing emails. Based on the percentage of privacy- and security-aware behaviors correctly identified, survey takers were labeled one of three things: A risk (lacking in security awareness), a security novice (possessing some awareness) or a security hero (having good awareness).” I thought one thing was very fascinating; managers and upper-level employees scored worse than entry-level employees.
https://threatpost.com/threatlist-3-out-of-4-employees-pose-a-security-risk-to-businesses/138506/
I also find some interesting findings from the study:
1. Employee performance was worse this year across all eight industry verticals measured. Respondents did much worse in identifying malware warning signs, knowing how to spot a phishing email and social media safety.
2. Managers showed riskier behaviors than lower-level employees. Management performed worse than their entry- and mid-level counterparts when asked how to respond to a suspected phishing email. Only 69% of managers chose the correct answer vs. 86% of lower-level employees. And nearly one in six management-level respondents – 17% – chose to open an unexpected attachment connected to a suspected phishing email.
3. Finance sector employees performed the worst. Of the seven vertical industry sectors examined, financial employees got the lowest scores. 85% showed some lack of cybersecurity and data privacy knowledge. And, 19% of finance workers thought opening an attachment was an appropriate response to a suspected phishing email.
4. Too many employees could not identify phishing emails. 14% of employees could not identify a phish, a notable increase from 8% in 2017. And, 58% could not define business email compromise.
Hi Connor
This is an interesting article for us to read. To reduce the security risks of employees, security awareness training is the most useful method. Employees should establish their awareness to protect the cyber security. Organizations should create a plan for them to have training program. If there are any new social engineer incidents come out, the organization should remind employees in time.
Hi Connor,
Human is usually the weakness part of business. It requires continuing awareness training to face new cyber challenges. Employees should realize their positive and negative impact in the organization. How to educate and train employees are always questions to the company.
I think this is a great example as to why businesses should have an internal phishing/threat campaign backed with a training program for all the offenders. From what I have seen in my working experience is that people are less fatigued as they are happy to turn a blind eye because they just don’t care or refuse to learn something new. The other sentiment is that “it just isn’t their job.” Perhaps companies should hire with cybersecurity in their job descriptions. “All new hires will needs a basic understanding of cyber threats, i.e. phishing, malware and data privacy.