Over 80% of Employees Lack Security/Privacy Awareness – Report

Over 80% of Employees Lack Security/Privacy Awareness – Report

A new study has revealed worryingly low levels of employee cybersecurity and privacy awareness, with 88% described as lacking the requisite skills to prevent an incident.

The MediaPro 2016 State of Privacy and Security Awareness Report was compiled from interviews with over 1000 US employees.

Only 12% were classed as ‘hero’ – meaning they are able to identify and dispose of information safely, recognize malware and phishing attacks and keep info safe when working remotely.

Unfortunately, 72% were classed as ‘novice’ while 16% were judged to exhibit the kind of behaviors that could put their organization at serious risk of a major privacy or security incident.

Some 39% of respondents claimed to discard password hints insecurely, for example in a bin; a quarter failed to recognize a phishing email with a suspicious looking attachment and questionable “from address”; and 26% said they thought it was fine to use a personal USB to transfer work documents outside of the office.

What’s more, 30% said they thought it was fine to post on behalf of their company to a personal social media account.

“This survey clearly shows the human threat vector is still largely unsecured, and most organizations don’t really know whether their employees have the necessary level of data protection awareness to avoid preventable incidents,” said MediaPro founder Steve Conrad.

The most recent stats from the Information Commissioner’s Office (ICO) revealed an increase in human error-related data breach incidents reported to the UK privacy watchdog.

Incidents involving data being sent by email to an incorrect recipient increased by 60% between the first and second quarters of 2016, while the number of incidents involving failure to redact data jumped by 64% from Q1 to Q2.

Yet some experts at Infosecurity Europe this year argued that current training programs are largely ineffective.

The focus should be on changing people’s behavior rather than raising awareness, as the latter does little to improve information security, they argued.

Source: Information Security Magazine