‘User Risk Report’ Reveals Poor Cybersecurity Habits of Global Workers

Are you making assumptions about what your end users know about phishing? Ransomware? The limitations of antivirus software? Are you confident that they password-protect their personal smartphones and home WiFi networks?

If so, you could be overestimating how well your users safeguard their data, devices, and systems — and underestimating how their habits influence your organization’s level of risk.

To get a better sense of the personal cybersecurity habits of working adults around the world, we invite you to download our second annual User Risk Report, which reveals the results of an international survey of more than 6,000 users across six countries: the US, UK, Germany, France, Italy, and Australia. The scope of this year’s report far surpasses that of our 2017 study, which surveyed just 2,000 working adults across two countries (the US and UK).

About the ‘User Risk Report’

For this year’s report, we commissioned a third-party survey with questions designed to gather data about end-user actions and capabilities that affect device, data, and system security. We repeated many of the questions we asked in last year’s survey, but dug a little deeper into other topics to get the best picture of working adults’ prowess in areas like the following:

• Understanding of cybersecurity fundamentals (such as phishing, ransomware, and WiFi security)
• Password management and attention to physical security measures
• Use of data protections, such as virtual private networks (VPNs) and file backups
• Application of best practices related to activities such as social media sharing and use of employer-issued devices

We present the global averages of the responses — and note a few outliers — throughout the report, but we’ve also included country-by-country breakdowns in the appendix so you can get a sense of how respondents’ answers varied by region.

Key Findings

As with last year’s study, the findings of the 2018 User Risk Report are sometimes heartening, occasionally perplexing, and frequently terrifying — but always enlightening.

We found that, globally, smartphones and home WiFi networks are used by more than 90% of working adults, and 39% of respondents said they blend work and personal activities on their smartphones. Unfortunately, many of these individuals are not taking basic security measures, which is putting organizations at greater risk (particularly those that support remote and/or traveling workers).

Following are a few key areas for improvement:

• 44% of global respondents do not password-protect their home WiFi networks, and 66% have not changed the default password on their WiFi routers.
• 55% of workers who use employer-issued devices at home allow family members to use them for things like shopping online and playing games.
• 67% believe using antivirus software and keeping it up to date will stop cyberattacks from affecting their computer.
• Among working adults who do not use a password manager, more than 60% admitted to reusing passwords across multiple online accounts.

Time to Lead the Charge for User Awareness

As the User Risk Report shows, working adults around the globe still lack awareness of fundamental cybersecurity topics — including those noted above, as well as phishing, ransomware, and malware. Clearly, it’s time for infosec teams to take a hard look at how they are approaching security awareness training and to consider how deeply a lack of cybersecurity education may be hurting organizational security postures.

Quite simply, it’s dangerous to continue making assumptions about what users do and do not know about cybersecurity best practices. What you think employees should know is of little relevance if they simply don’t know it. For cybersecurity to become an ongoing priority and pursuit for your end users, security awareness training must be an ongoing priority and pursuit for your organization.