Your Employees Know That Their Passwords Are Weak, but They Will Not Change Them

The regular user's role tends to be overlooked when mainstream media discusses cybercrime, and to some extent, this is perfectly understandable. After all, selling a story about extremely sophisticated state-sponsored hackers who use clever hacking tools to bypass the defense mechanisms of major organizations is easier than selling a story about an employee who wasn't paying attention.

The fact of the matter is, however, that careless employees are often at the root of even the most high-profile attacks. It's all down to people's own cybersecurity habits and their understanding of the risk, or, more precisely, lack thereof. To fight cybercrime, security companies must understand why we are faced with this problem, which is why WebRoot partnered up with Wakefield Research and conducted a study which they aptly called "Hook, Line, and Sinker: Why Phishing Attacks Work". The findings are as fascinating as they are worrying.

Researchers interview 4,000 overconfident office workers

The survey involved 4,000 workers from the US, UK, Japan, and Australia, and one of the first things these people were asked to do is estimate how confident they are in their ability to distinguish phishing messages from real ones. Surprisingly or not, the answers depend at least to a certain extent on people's geographical location and their cultural upbringing. In the UK, the US, and Australia, for example, around 90% of workers say that they can tell a phishing message from a real one. By contrast, only about one in two of the Japanese respondents expressed similar confidence.

If we assume that these figures represent the rest of the world as well, we'll conclude that about 79% of all office workers reckon that they can spot a phishing email. The next set of figures show that they are way too cocky.

About 49% of respondents admit that they have clicked links in emails coming from unknown senders while they were at work. Coincidentally or not, 48% of the interviewed employees say that they have had their personal and/or financial information breached at least once.

It is pretty obvious that while they think they know better, many employees aren't educated and experienced enough to avoid most phishing traps. That's not the only problem.

Employees don’t know how to handle a cybersecurity incident

67% of the respondents said that they have received at least one phishing email at work. Of them, about 39% did nothing to report the message and help locate its source. There are a few other findings that demonstrate people's lack of security awareness.

While most of the respondents know that spam emails sit at the bottom of most malware and credential theft operations, many fail to recognize text messages, social media, and voice calls as phishing vectors.

The most worrying statistics, however, are the ones detailing people's actions in the aftermath of a breach. 29% of the respondents who admitted that they've been hit by a breach didn't inform legal authorities about it, and in Japan, about 13% did absolutely nothing at all. A whopping 35% of the workers hit by a data breach didn't so much as bother to change their passwords after their information was leaked. And this, as most of you should know, is the first and most important step a user should take in the wake of a cyberattack.

Something’s got to be done

Obviously, the situation is far from ideal, and companies the world over should start thinking about what they can do to improve it. The authors of the study rightly pointed out that organizations must invest in training and educational courses that should raise awareness around the threat of phishing as well as other aspects of cybersecurity. Phishing simulations, in particular, are especially useful, because with them, employees get a first-hand experience of what it's like to be targeted by a phishing scam.

As Cleotilde Gonzalez, Ph.D. from the Carnegie Mellon University noted in her comments on the research, however, "what we really need is a mindset makeover". People need to realize how important cybersecurity is, and they need to understand the consequences of not taking it seriously enough.

Then and only then will the real threat come from the state-sponsored hackers and their sophisticated tools. They will be faced with a much more formidable defense, though.