Despite a constant stream of data breaches and cyberattacks on American businesses, nearly half of employees at U.S. companies get no cybersecurity training at work—a fact that explains their poor performance on various security metrics.
Two-thirds of respondents in a newly released CompTIA survey, “Cyber Secure: a Look at Employee Cybersecurity Habits in the Workplace,” reuse passwords on multiple accounts. Nearly 40 percent use their work email address for personal services like banking and ecommerce. And 41 percent of employees surveyed were unfamiliar with two-factor authentication (logging in with both a password and a randomly generated code sent to a mobile device).
CompTIA, a trade group representing major IT firms, found that employees were more diligent about corporate security than personal security. More employees changed their work passwords monthly than their personal passwords. The same was true for those who changed their passwords quarterly, which was also the most popular interval for changing them. (Only 9 percent waited a year to change their work passwords.)
Among the survey’s most significant findings was the fact that, of the 1,200 full-time American employees interviewed, only 55 percent reported receiving cybersecurity training at work. There was widespread consensus that cybersecurity education should start at a much younger age, with a combined 72 percent of respondents saying that kids should begin learning about Internet best practices between the ages of five and 13.
The CompTIA survey also revealed that Americans’ perceptions of cybersecurity remain focused on their identities rather than their data. A plurality of respondents (36 percent) associated the term with identity theft, and only 18 percent associated it with hackers.
Nearly every employee surveyed used an antivirus program, whether a paid product (57 percent), a free option (30 percent), or an application that shipped with the device (11 percent). Only 2 percent of employees left their machines completely unprotected—a fact should offer some comfort to IT managers.
Corporate security experts are likely to blanch at the fact that 22 percent of respondents said they would pick up a USB flash drive if they found it sitting somewhere in public. Making matters worse, 84 percent of that curious subset said they would plug it into their device. Flash drives remain one of the easiest vectors of attack for cyber criminals. Surprisingly, millennials were more likely than members of older generations to pick up a flash drive (40 percent, compared to 22 percent of Gen Xers and 9 percent of Baby Boomers).
The CompTIA report follows other trade groups’ surveys that show a similarly low level of cybersecurity awareness and competence. CTIA–The Wireless Association found that fewer than six in 10 Americans secured their smartphones with a password, while a National Cybersecurity Awareness Month survey revealed that 40 percent of Americans used their router’s default password and 59 percent of parents let their kids download apps without permission.
Photo via Peter & Joyce Grace/Flickr (CC BY 2.0) | Remix by Jason Reed