Cybersecurity best practices lagging, despite people being aware of the risks

The National Cybersecurity Alliance and CybSafe announced the release of a report which polled 2,000 individuals across the U.S. and UK. The report examined key cybersecurity trends, attitudes, and behaviors ahead of Cybersecurity Awareness Month this month.

“The cybersecurity threat landscape is as complex and diverse as it has ever been,” said Lisa Plaggemier, Interim Executive Director, National Cybersecurity Alliance.

“The daily headlines of data breaches and ransomware attacks is a testament to the problem getting worse, yet most people aren’t aware of the simple steps they can take to be a part of the solution. It’s critical to have a deeper understanding of both the challenges we face and the prevailing attitudes and behaviors among the public.”

“Cybersecurity is about more than just tools, it’s about people,” said Oz Alashe, CEO at CybSafe. “Too often people are forgotten in cybersecurity conversations.”

Cybercrime considered more common among Millennials and Gen Z

Per the study’s results, millennials (44%) and Gen Z (51%) are more likely to say they have experienced a cyber threat than baby boomers (21%). Additionally, 25% of millennials and 24% of Gen Zers said they had their identities stolen once as opposed to only 14% of baby boomers. In fact, 79% of baby boomers said they had never been a victim of cybercrime.

“Despite the myth that older individuals are more likely to be susceptible to cybercriminals and their tactics, our research has uncovered that younger generations are far more likely to recognise that they have been a victim of cybercrime,” said Plaggemier.

“This is a stark reminder for the technology industry that we cannot take cybersecurity awareness for granted among any demographic and need to focus on the nuances of each different group. And, clearly we need to rethink perceptions that younger individuals are more tech-savvy and engage more frequently in cybersecurity best practices than older technology users.”

Public not embracing cybersecurity best practices

According to the report, public response, and implementation of commonly known best practices including strong passwords, multi-factor authentication (MFA) and others are tepid at best. Findings on best practices include:

• Poor password hygiene: 46% of respondents say they use a different password for important online accounts, with 20% saying that they “never” or “rarely” do so. Additionally, only 43% said they create a long and unique password either “always” or “very often.”
• MFA remains a mystery: 48% of respondents say they have “never heard of MFA.”
• Software update installation lagging: 31% of respondents say they either “sometimes,” “rarely,” or “never” install software updates.

“There is a clear disconnect between the technology industry and the public when it comes to driving the adoption of cybersecurity best practices,” said Alashe. “There is overwhelming proof that simple best practices such as strong passwords, MFA and regularly installing updates can work wonders for boosting overall cybersecurity.

“Ultimately, there is no one-size-fits-all approach when it comes to cybersecurity. In order to reverse this trend and engage people in secure online behaviors more meaningfully, we must take a more human-centric view and understand the behavioral implications that are driving this disconnect.”

Reporting challenges undermine cybersecurity

According to the report, 34% of individuals have personally been a victim of a cyber breach. Of these individuals, 51% say they have been victims more than once. Further, 19% of participants said they have been a victim of identity theft. Of those who were a victim of cybercrime, 61% said that they did not report the incident.

Furthermore, only 22% of participants said that they “always” reported a phishing attempt – one of the leading threat types deployed by cybercriminals. Interestingly, only 29% of individuals indicated they were not intimidated by cybersecurity.

“The technology industry relies on reporting as one of the key pillars in identifying and stopping bad actors, yet even those impacted directly by cybercrime routinely fail to notify the appropriate parties that an incident has occurred,” said Alashe.

“In day-to-day life, it is second nature for individuals to report a crime if they see one; however, this behavior isn’t being replicated with cybercrime. It’s crucial that cybersecurity professionals get to the bottom of why this is the case, as raising reporting rates among people will be pivotal in freeing up time for cyber professionals, helping them to prioritise threats and adjust their strategies.”

Limited access to cybertraining

Per the report, 64% of respondents have no access to cybersecurity training, while 27% of those who do have access choose not to use it.

“Despite an ongoing rise of incredibly sophisticated cybersecurity attacks, a vast majority of employers and technology manufacturers fail to equip people with the tools and knowledge they need to identify, avoid and report cyberthreats,” said Plaggemier.

“Cybersecurity success is highly dependent on the actions of everyday people, and unless we are able to grow our training and education infrastructure dramatically, we will continue to be immensely vulnerable to bad actors.”