Cybersecurity and Risk Awareness — Spanning Report

2018 Cybersecurity and Risk Awareness Survey

Executive Summary
Cybersecurity Behaviors
Online Shopping Vulnerabilities
Social Pressures
Phishing Email Effectiveness
Employee-Induced Data Loss
Overall Conclusions
Survey Methodology

Executive Summary

Considering the near-constant instances of cyber attacks and an ever-increasing cyber risk landscape, cybersecurity has never been more important. Many organizations have already adopted proactive cybersecurity measures to combat external threats, such as designing incident response plans, implementing automated network monitoring software and establishing disaster recovery processes. These best practices are crucial, however too often organizations fail to also consider the security weaknesses internal factors (i.e. their employees) pose.

Malicious, internal threats can be the most difficult for organizations to detect and defend against, as they already have legitimate access to company data and systems. Even more challenging is the reality that non-malicious, well-intentioned employees can also cause significant harm. An employee who frequents an unsecure website from their work computer or opens a suspicious link from their work email, for instance, can serve as an easy entry point for cybercriminals seeking company network access.

To understand how prepared employees are for ongoing, sophisticated cyber threats and to help organizations better defend their most critical business assets from the inside out, Spanning commissioned a survey of over 400 U.S. workers across a range of industries, including education, government and healthcare, to determine awareness of and tendency towards risky online behavior.

The survey identified five key findings:

Basic cybersecurity practices are alive and well

More than 8 in 10 workers reported that they never share passwords over text or email and that they use a mix of letters, numbers and symbols in their passwords. 87 percent of respondents are uncomfortable clicking on short URLs, such as bit.ly links.

Employees are shopping at work

More than 52 percent of all employees and 62 percent of admin holders polled, said they shop online from their work computer. However, over 30 percent were unable to identify an unsecure ecommerce website, and more than 50 percent of those who were, did not choose a broken padlock as a key indicator of an unsecure site.

Politeness trumps security

When asked if they would allow a colleague to use their work computer to complete a task, almost half of all respondents said they would. Amongst those with administrative access, only 35 percent said they would refuse to allow a colleague to access their device.

Phishing emails remain effective

When presented with a visual example, only 36 percent of all employees polled, correctly identified a suspicious link as being the key indicator of a phishing email.

Data loss is often employee-induced

Nearly 7 in 10 of respondents admitted to accidentally deleting files. When asked specifically about whether they have done so when using G Suite or Microsoft Office 365, over 25 percent stated that they have.

A data graphic showing that workers would rather be "nice" than safe when analyzing willingness to share passwords or personal computers.

Cybersecurity Behaviors

Overall, U.S. workers have a decent understanding of basic cybersecurity risks, such as the dangers of poor password etiquette and instances of Shadow IT and/or Bring Your Own Device (BYOD).

More than 8 in 10 workers reported that they never share passwords over text or email and that they use a mix of letters, numbers and symbols in their passwords. Eighty percent of respondents do not typically use the same password for all of their online accounts, and 87 percent are uncomfortable clicking on short URLs, such as bit.ly links. Seventy-six percent of workers stated that they do not conduct online banking on devices that are not their own, and more than half indicated that they avoid downloading applications from the web to their work computer.

Online Shopping Vulnerabilities

The majority of employees enjoy shopping online from their work computer. Even in the best case scenario that introduces serious security vulnerabilities, such as risk of phishing emails, theft of personal data and potential for malware attacks. Of even greater concern, however, is that many workers who shop online from their work computer cannot accurately identify unsecure ecommerce websites. When presented with an example of an unsecure ecommerce browser window, 34 percent of employees who admit to shopping online responded that they felt the site was secure. Further, just under half (49 percent) of all polled employees who responded that the site was unsecure, were able to correctly identify a broken padlock as being the key indicator of an unsafe site. Other respondents reported that the biggest indication of an ecommerce site being unsafe was a fake-sounding site name (33 percent), that the padlock was not green (14 percent) and that the web page in question had a ‘funny layout’ (2 percent).

A data graphic showing that employees demonstrate risky behavior by clicking links they don't recognize and downloading web extensions to their work devices.

Social Pressures

Sharing devices between coworkers may seem harmless enough, and it is understandably convenient and friendly behavior. Device sharing, however, can lead to chronic security gaps that quickly spread across an entire organization. When U.S. workers were presented with a scenario where their colleague was having trouble logging in to a business application and that they had a deadline to submit their work by, almost half of all respondents said they would let their colleague use their computer to login. Amongst those with administrative access, only 35 percent responded that they would refuse to allow a colleague to access their device. Looking at specific industries, more than 60 percent of government workers said they would allow a colleague to use their work computer, compared to those in education (41 percent) and healthcare (40 percent). Only 37 percent of workers, overall, indicated that they would refuse to offer their login or device. Worse, 14 percent of respondents said they would offer their colleague their personal login information, and let them use their device in order to submit in time to meet their deadline.

Phishing Email Effectiveness

Phishing email scams are certainly nothing new, and many organizations explicitly train their employees not to open emails from an unknown sender or click on any suspicious links. When presented, however, with a visual example of a phishing email, 36 percent of all respondents correctly identified a suspicious link as being the key indicator of a phishing email. The remainder chose the following indicators:

It is not a personalized email with my name (36 percent)
There is a “re” in the subject of the email, but I never sent a note in the first place (24 percent)
The company’s logo colors do not ‘look right’ in the email (2.7 percent)

While all of the above responses are correct and worthwhile observations, phishing attacks are increasingly becoming more sophisticated and may continue to trick employees who do not know to focus their attention on potentially suspicious links.

Employee-Induced Data Loss

In addition to unknowingly creating accessible entry points for cybercriminals through risky cyber behavior, employees can impact the security and overall health of an organization by inadvertently causing data loss. Nearly 7 in 10 of U.S. workers admitted to accidentally deleting files, with 41 percent reporting that they went to an IT administrator for help afterwards and 39 percent saying they sought out their helpdesk team. When asked specifically about whether they have accidentally deleted email, files or data when using Google G Suite or Microsoft Office 365, more than 25 percent of respondents said they have.

A data graphic showing that data loss is a real problem and the statistics for data loss that were uncovered in the survey.

Overall Conclusions

The majority of U.S. workers are cyber risk-averse, demonstrating a basic understanding of security awareness by practicing good password hygiene, avoiding clicking on suspicious links and refraining from downloading applications from the web to their work computer. However the survey results also indicate significant room for improvement. It is evident that a fundamental knowledge of rudimentary cybersecurity best practices is not sufficient for protecting critical enterprise data in today’s ever-evolving threat environment. With more than 52 percent of all survey respondents reporting that they shop online from their work computer, almost half saying they would allow a colleague to use their computer to login and only 36 percent able to correctly identify a suspicious link as being the key indicator of a phishing email scam, IT leaders need to do more to educate employees on how their daily online behavior can endanger critical business data. Furthermore, with nearly 7 in 10 respondents admitting to inadvertently deleting files and more than 25 percent incurring data loss via Google G Suite or Microsoft Office 365, organizations and their IT teams need to prioritize both on-premise and cloud-based data backup and restoration capabilities, particularly in the highly vulnerable industries of education, government and healthcare.

Survey Methodology

Spanning commissioned the survey, which was completed by 407 full-time employees. All respondents are based in the U.S., with just over 35 percent holding administrative user credentials. Gender was split equally, with the majority of workers identifying as administrative professionals, directors, managers and business owners. Survey respondents primarily represented the following industries: