Ignorance Isn’t Bliss: How Tech Users Miss Fundamental Knowledge About Cybersecurity

Not surprisingly, internet connectivity is at an all-time high.

But – unsurprisingly – this has led to an increase in cyber attacks: phishing and identity theft are common (yet under-reported).

And adoption of best practices is lagging, as nearly two-thirds of tech users lack access to basic cybersecurity knowledge.

Here are the key findings from the National Cybersecurity Alliance (NCA) and CybSafe Oh behave yourself! The Annual Report on Cybersecurity Attitudes and Behaviors 2022. The report, which surveyed 3,000 people in the US, UK and Canada, was released today before the NCAs Cyber ​​Security Awareness Month in October.

“Cyber ​​attacks have increased in frequency, especially in recent years, with the pandemic accelerating and forever changing the attack surface against consumers and businesses,” said Lisa Plaggemier, executive director of the NCA. “However, bad actors continue to successfully claim victims through low-tech (but still effective) methods.”

Clean up your passwords

One of the most disturbing findings: weak password hygiene.

While 45% of respondents said they are always online, only 16% said they create passwords longer than 12 characters. Similarly, 40% do not use strong password combinations and only 7% use a password manager.

Also, more than a third (37%) of respondents preferred writing passwords in a notebook, 28% store them electronically and 22% “just remember them”.

“It’s alarming because each of these password hygiene methods has huge weaknesses that can eventually lead to passwords falling into the wrong hands,” says Plaggemier.

Also according to the report:

• 43% of respondents had never heard of multifactor authentication (MFA).
• 37% have no automatic software updates enabled.
• 35% assumed their devices are automatically secured.

Simply put, technology users don’t like passwords and generally struggle with “sensible security hygiene,” according to Plaggemier.

To defend themselves and their employees, companies must use a combination of MFA, zero-trust policies, and good password hygiene. This means that the use of passphrases of at least 12 characters is mandatory. Users must create and maintain unique multi-character passwords for the growing number of online accounts they log into.

“Regardless of length, if passwords are predictable or don’t distinguish between characters, attackers are significantly more likely to compromise or brute-force a respective user’s account,” says Plaggemier.

Phishing and identity theft the most common attacks

Of the more than 1,700 cybercrime incidents reported by participants, 36% were phishing attacks leading to loss of money or data and 24% were identity theft. The report also found that:

• Participants in the US were increasingly victims of cybercrime.
• 20% of Millennials and 18% of Gen Z have their identities stolen at least once.
• 27% of Millennials and 34% of Gen Z had lost money/data to malicious cyber activities such as phishing.
• In contrast, 92% of Baby Boomers reported never having their identities stolen and 88% had never lost money/data to cyber-attacks.

Meanwhile, 45% of romance scam victims and 48% of cyberbullying victims reported no incidents. And 26% of identity theft victims and 31% of phishing victims did not directly report their incidents to service providers or law enforcement.

“Phishing attacks are common and, unfortunately, successful,” says Plaggemier.

So it’s essential that technical users know how to spot and report phishing attacks. If a link or attachment looks suspicious, browse it or delete/mark it as spam or junk email. And be wary of communications that require immediate action.

“Monitoring for these types of phishing scams helps users and businesses avoid clicking links with malware that could damage your device, and worse, allow cybercriminals to access them,” says Plaggemir.

Basic knowledge of cyber security is lacking

Basic knowledge of cybersecurity and the use of tools is also cause for concern. The study found that:

• 62% of users do not have access to cybersecurity knowledge and a third rely on the help of friends and family.
• 78% of respondents consider staying safe online a priority.
• 57% were concerned about cybercrime.
• 46% felt frustrated while staying safe online.

These findings are endemic to the way cybersecurity training is viewed, Plaggemier said. The onset of the pandemic and the blurring of personal and professional life is “a big wake-up call,” she said. Access was prioritized over security.

“Companies that put security on the back burner to give people quick remote access saw how bad actors took advantage of people’s general ignorance of the dangers they faced when they were constantly connected,” she said.

“Now we need to correct the course and make fundamental safeguards such as MFA and training-as-a-culture more a necessity than a luxury,” Plaggemier said.

A call to action

There is a culture shift — which needs to be accelerated, Plaggemier said — as organizations increasingly fall victim to phishing and social engineering attacks.

It is paramount that cybersecurity training be “anchored in digital culture” and emphasized as a proactive and helpful must-have rather than a punitive and reactive response.

The key to increasing education and adoption of cybersecurity best practices is implementing cybersecurity requirements. Ultimately, tech companies should prioritize cybersecurity over fear of backlash from friction and user deployment, she said.

“Our research tells us that people want to prioritize security and expect technology companies to do more,” says Plaggemier.

Rather than making MFA optional and framing it as a “just in case” deterrent, it should be “table stakes” for all devices that carry and store critical information, she said. This may seem like a burden at first, but the amount of data risk it could minimize over time is worth the initial growing pains.

“Practitioners need to move beyond the frame of training as punishment and instead create an environment where cybersecurity awareness and education are cultural,” says Plaggemier.

Ultimately, it should be embedded in our workplaces and our daily lives, she said.

“If we can change the messaging and make it easier for the average person to understand deterrence, we can collectively become more secure and better prevent cyber-attacks from spreading.”