ThreatList: 3 Out of 4 Employees Pose a Security Risk to Businesses

Finance-sector employees fared the worst in an awareness survey, with 85 percent showing some lack of cybersecurity and data privacy knowledge.

While much is always made of external hackers, insider threats remain a problem at more organizations. A full 75 percent of professionals pose a moderate or severe risk to their company’s data, according to a recent survey.

MediaPRO’s third-annual State of Privacy and Security Awareness Report polled more than 1,000 employees across the U.S. to quantify the state of privacy and security awareness. Respondents were asked a variety of questions based on real-world scenarios, such as correctly identifying personal information, best practices for logging onto public Wi-Fi networks and spotting phishing emails. Based on the percentage of privacy- and security-aware behaviors correctly identified, survey takers were labeled one of three things: A risk (lacking in security awareness), a security novice (possessing some awareness) or a security hero (having good awareness).

The results uncovered that employees in management roles or above showed riskier behaviors than entry- or mid-level employees. Seventy-seven percent of respondents in management showed a general lack of awareness, while 74 percent of those in subordinate positions scored the same.

Employees in the finance sector performed the worst of the seven industry segments analyzed, with 85 percent of finance workers showing some lack of cybersecurity and data privacy knowledge. This extends to physical security: One out of five finance employees failed to report finding an unlocked file cabinet filled with sensitive files.

“We live in an age where stories about cybersecurity are constantly swirling, which can actually create a sense of security fatigue,” said Tom Pendergast, chief security and privacy strategist at MediaPRO, in a media statement. “But these levels of riskiness are alarming. It only takes one person to click on the wrong email that lets in the malware that exfiltrates your company’s data. Without everybody being more vigilant, people and company data will continue to be at risk.”

Worryingly, the firm said that this year, more people fell into the risk categories than in 2017. According to the report the number has nearly doubled since the inaugural survey. Specifically, those surveyed did significantly worse in identifying malware warning signs, knowing how to spot a phishing email and social media safety.

On the malware front, close to one-fifth of employees failed to recognize at least one of four possible signs of a malware-infected computer. The malware sign most misidentified was a slow computer, which nearly a third of respondents (31 percent) overlooked as a potential indication that the computer had been infected.

Multiple web searches ending at the same address was the sign correctly identified most often—87 percent of employees said this was a clue malware had infected their computer.

Meanwhile, 14 percent of employees lacked the ability to correctly identify phishing emails. In the 2017 survey, only 8 percent of employees struggled in this area.

“For the second year in a row, an email purporting to be from a famous investor offering a hot stock tip proved to be the trickiest, with one out of five of respondents failing to report it as phishing,” according to the report. Also, only 58 percent of respondents overall could define business email compromise (BEC), suggesting “a concerning lack of awareness surrounding this common social-engineering tactic,” according to the report.

For social-media safety, more than one in five employees made poor decisions. These included reputational issues like re-tweeting a coworker’s sarcastic tweet about a competitor (23 percent thought this appropriate), or competitive problems like boasting on Facebook about an as-yet-unreleased new product offering (16 percent thought this appropriate).

“The overall results of this report revealed a trend we weren’t happy to see: employees performing worse across the board compared to the previous year,” Pendergast said. “Rather than dwell on how much the average employee still has to learn, this report should be taken as a road map for a robust security and/or privacy awareness initiative — one that will ultimately lead to real behavior change.”


Suggested articles