For IT and InfoSec professionals, terms like phishing, ransomware, and vishing are common and universally understood. For end users, the same can’t be said. In our 2020 User Risk Report we surveyed 3,500 working adults from around the globe to understand their security awareness knowledge and related behavior. These countries include the United States, Australia, France, Germany, Japan, Spain, and the UK.What did we find? Some worrying results. Take the common term “phishing”. Only 61% of users could accurately define the term. Significantly less users could define terms like ransomware, smishing, and vishing. When viewing the results from a generational perspective, millennials have better awareness of smishing and vishing but less awareness of phishing compared with their older peers.
Many practitioners starting their security awareness program are tempted to jump into their program with advanced training on topics like business email compromise and spear phishing. Before you start your program understanding your users’ knowledge levels is critical to building a successful security education curriculum for the long term.
Key Findings
Do you need more reasons a fundamental knowledge base is so important? The following revelations from the survey all matter when understanding people-centric risk for your organization. Consider the following:
- 16% use the same 1 or 2 passwords for all accounts
- 32% don’t know what a VPN is
- 10% of users have no lock on their smartphone
- More than 50% of users don't require a password to connect to their home WiFi network
- 26% believe a free WiFi network (like at a coffee shop or airport) is safe to use, 17% don’t know
- Almost half of employees allow friends and family to use their corporate device for personal use
Despite these findings, every year we’ve conducted this survey we see improvements in security awareness among users. And now almost all organizations (95%) have some pieces of a security awareness program in place according to our 2020 State of the Phish. Which is definitely moving organizations in the right direction.
But security awareness continues to be siloed at a lot of organizations and therefore operate on an island. With 99% of attacks requiring users to take action to be successful, the notion that security awareness is an annual compliance or checkbox activity is neither reasonable nor appropriate.
People Are Your Best Option
Educated users can be resilient. Our 2020 State of the Phish found some of our most successful clients had over 80% of users reporting simulated phishing campaigns with their email reporting add-in. Another client of ours found after training they were able to cut successful real phishing attacks by 90%. While those numbers matter, other clients talk about the dramatic changes they’ve seen in security awareness culture where security becomes a natural among users.
If you’re wondering how you can get these types of results and run a successful, long-term security awareness program, we’re highlighting key facts, strategies, resources, and tips you can utilize regardless of your vendor and demonstrating why your security awareness training approach matters.