Spanning Cloud Apps announced the results of a survey of over 400 full-time U.S. employees on their awareness of and tendency towards risky online behavior.
The study measured U.S. workers’ risk aversion for a range of behaviors, including use of online account credentials, susceptibility to phishing attacks and potential for data loss. It found that, while employees are generally risk averse, more than half (55 percent) admitted to clicking links they didn’t recognize, 45 percent said they would allow a colleague to use their work computer and 34 percent were unable to identify an unsecure ecommerce site.
Nearly three quarters of U.S. workers demonstrated suspicion of unfamiliar URLs from popular sites like Facebook and the New York Times and aversion towards potential malicious links, was generally high, with 87 percent of respondents demonstrating caution around these URLs. However, a recent report by Barkly uncovered that the average user receives 16 malicious spam emails per-month, making roughly 54.6 percent of all email actually spam. With 13 percent of employees clicking on short URLs and a large volume of malicious emails, organizations face a potentially high risk for data breaches and data loss.
Employees would rather be “nice” than safe
When asked if they would allow a colleague to use their work computer to complete a task, more than half (59 percent) of all employees said they would. Of workers with administrative access, only 35 percent responded that they would refuse to allow a colleague to access their device.
Employees like to shop from work, but not all know how to spot an unsecure site
More than 52 percent of all employees and 62 percent of admin holders polled said they shop online from their work computer. When presented with an example of an unsecure ecommerce browser window, 34 percent of employees who admit to shopping online responded that they felt the site was secure. Further, under half (49 percent) of all employees polled who indicated the site was unsecure were able to correctly identify a broken padlock as being the key indicator of an unsafe site.
Employees are underprepared for sophisticated phishing emails
When presented with a visual example, only 36 percent of all employees correctly identified a suspicious link as being the key indicator of a phishing email. The remainder chose the indicators that the email was not personalized and contained a “Re:” in the subject line. While these are correct observations, phishing attacks are increasingly becoming more sophisticated and may trick employees who don’t know to zero-in on suspicious links.
Employees demonstrate risky behaviors
55 percent of employees admitted to clicking on links they didn’t recognize, and nearly half (49 percent) have downloaded a web extension to their work device. Further, 20 percent of workers reported that they share passwords over text or email, in sharp contrast to a well-known basic security practice.
“While we are encouraged to see that employees are becoming more risk averse, and most can identify unsecure sites or phishing emails, these results show that there is still a concerning gap between what users say they understand and how they actually behave,” said Mat Hamlin, VP of Products, Spanning. “Organizations need to improve security awareness and training while still preparing for the worst, which is why backup of all critical data, including SaaS, is more important than ever, especially considering that 25 percent of these survey respondents indicated they have lost data in G Suite or Microsoft Office 365 in the past.”
Results of the survey also found similarly risky online behavior and a lack of awareness in healthcare, education and government organizations. Results showed that over 60 percent of government workers would allow a colleague to use their work computer, compared to those in education (41 percent) and healthcare (40 percent), demonstrating a specific risk in that sector over others.
“The results of this survey should be instructive to IT leaders at organizations of all sizes,” said Brian Rutledge, Principal Security Engineer, Spanning. “It only takes one…one employee, one email, one ransomware attack. The results show that even though employees know basic risks associated with strange looking emails and web pages, they lack a deeper understanding of how their online behaviors put business data at risk. For organizations in highly-targeted industries, such as government and healthcare, leadership teams must have measures in place to quickly restore data and not rely on employees to keep hackers out.”