Cyber hygiene training is infrequent and inconsistent

Finn Partners Research released findings from its Cybersecurity at Work study that examined the level of cyber risk that employees pose to their organizations.

The in-depth study, which surveyed 500 full-time office employees across the US, found that nearly two in five workers admitted to clicking on a link or opening an attachment from a sender they did not recognize. This security slip-up is significant due to the installation of malware on their devices and the harvesting of sensitive corporate data.

Resulting from the societal BYOD (bring your own devices) trend, the study shows that more than half of employees (55 percent) are using their personal devices for work, which directly impacts increased vulnerability to hackers, malware and data breaches. In addition, only 26 percent of employees change their login credentials and/or passwords for personal and work applications at least once a month.

“The fastest and easiest way for bad actors to gain access to sensitive organizational data is for employees to click on nefarious links – we know that around 40 percent of our workforce is engaging in such behavior,” said Jeff Seedman, senior partner at Finn Partners who leads the firm’s US cybersecurity specialty group.

“Employees often assume their personal devices are secure, but then neglect to update their software regularly or put any protection policies in place. This is a serious problem, especially if a device loaded with company data gets lost, stolen or hacked.”

Only 25 percent of employees said they receive “cyber hygiene” training on a monthly basis from their IT team. Cyber hygiene refers to the updating of operating systems on devices, checking for security patches, and changing passwords.

• 29 percent receive quarterly training;
• 19 percent receive bi-annual training;
• 23 percent receive annual training or do not receive any at all

Despite these training gaps, 93 percent of respondents believe that their company takes adequate cybersecurity measures to protect their personal and corporate data. What’s more, 94 percent of employees believe they are doing their part in helping to keep their company’s data secure.

“While 31 percent of respondents have already been a victim of a breach or attack, the behavior patterns to elicit security breaches remain,” said Jodi Brooks, managing partner and tech practice lead at Finn Partners.

“The opportunity to invest and increase the cadence of security vulnerability training in our organizations is vital. It is no longer sufficient for organizations to roll out annual security trainings on the latest vulnerabilities.”