There appears to be a lack of cybersecurity awareness amongst many office workers, despite most believing that they have been adequately trained, new research has claimed.
A survey from Encore of 100 C-level executives, 100 Chief Information Security Officers (CISOs) and 500 office workers in the US and the UK found a significant security knowledge gap between IT teams and workers.
Some of the more worrying findings include the failure of over half (57%) of staff to properly define what a phishing attack is, yet 90% of C-Suite executives believe they provide adequate cyber awareness training, and 80% of staff agree.
Bad practices
If this is the case, though, it seems none of that training has sunk in. Basic security practices are seemingly being ignored, as over a third of employees use the same password for both work and personal devices, and 37% use personal devices for work purposes.
Again, though, leaders appear blind to this fact. 71% of executives are confident that they deploy enough safeguards to secure their business, including from human error.
21% aren’t confident in their safeguards though, and 8% think that their workers pose no risk at all.
“Despite hundreds of reported breaches making the headlines each year – often featuring news of an exploited user account or an exposed password – it’s concerning that nearly a third of organizations have insufficient defenses around the workforce,” says Encore CTO Lior Arbel.
Arbel believes that firms treat cybersecurity training as a box-ticking exercise, and that as threats continue to evolve, keeping pace with adequate training is hard.
“Business leaders trust that their staff are being well trained, and each individual trusts that their employers are providing them with all the knowledge and tools they need… however, a gap between perceptions and reality has formed – and it needs bridging immediately,” Arbel concludes.
Other research has found similar failings among workers, such as the prevalence of malicious links in emails being opened, unaware that they are used as part of phishing attacks to elicit passwords and other credentials from businesses, or otherwise infect the target system with malware.
