Findings of a Mimecast survey show that cyber awareness training is badly needed for organisations.
Employees are the weakest link in your security chain. Studies have found that over 90% of all cyber breaches happen because of human error. Even with the best of intentions, sometimes their actions can lead to major cybersecurity faux pas.
But, how much of it is because of poor behaviour or bad decisions by employees when it comes to use of their corporate-owned devices?
Mimecast recently commissioned a Google Consumer Research survey with 1,000 participants to learn more about how everyday employees across numerous sectors are using their work-issued devices. Let’s look at the key numbers—and how they can help inform a strategy for combating potential workplace misuse and cybersecurity lapses.
Workplace security practices by the numbers
30%. This is about how many survey respondents are using their company-issued devices for personal reasons for at least one hour per day. Further to that point, 55% display the same browsing behaviour for at least 30 minutes every day. In total, 69% of employees admitted to using these devices for their own personal use.
This kind of behaviour can present security concerns for all organisations. It’s hard for IT departments and organisations at large to know exactly what these individuals are looking at or clicking on everyday, and without proper training or safeguards in place, you’re taking a major risk as an organisation.
One-quarter. This is how many employees surveyed were not aware of the most basic threats to their organisation—threats such as phishing and ransomware.
If employees don’t know about these threats and the problems they could cause for both workplace productivity and your bottom line — they are unlikely to take necessary precautions when browsing the Internet or checking personal emails at work.
In addition, almost 60% of employees said they aren’t aware of their company’s web-use policies at work — or there aren’t established policies at all.
50%. About half of those surveyed said their employer doesn’t provide mandatory cybersecurity training. About 10% provide the training as optional for employees. Roughly the same number of employees said they only received formal cybersecurity training during the onboarding process when they began their employment.
One-third. About one in three companies rely on an incredibly ineffective method of cybersecurity awareness training: they provide their employees with an emailed or printed list of cybersecurity tips and reminders. Sadly, this is the most common approach to awareness training among those we surveyed.
The good news is better approaches weren’t too far behind in this survey: 30% receive proactive prompts about unsafe links and 28% view interactive best practices videos.
Why you need cybersecurity awareness training
If you aren’t conducting regular, interactive and comprehensive cybersecurity awareness training and education for your employees, the findings of this survey should be a wake-up call. overall, your employees may be engaging in risky internet practices on your corporate-owned devices and internal networks.
In turn, this type of behavior increases your liability for cybersecurity incidents that could take down your network and result in millions of losses in downtime and productivity. Your risk goes down significantly when you have a trained, prepared and educated workforce.
Employees using their devices for personal use currently is an inevitability. But cybersecurity lapses because of that usage doesn’t have to be, too.
What does effective cybersecurity awareness training look like?
Your training content must be engaging. If you don’t have that, your employees will tune it out and won’t absorb a thing. Appealing to people and things your users can relate to is key to keeping them engaged.
For cybersecurity awareness training to work you need to get employees to consider a more thoughtful approach to their technology usage. Stop. Think. Verify. This will help avoid the lion’s share of attacks that rely heavily on social engineering, user inattention and a lack of knowledge.
A best practice for this is through micro-training: snackable, three-to-five minute sessions that include questions and learning moments, delivered every few weeks to reinforce the message.