As you may know, October is National Cyber Security Awareness Month in America, which is a good time to ask yourself how aware you are when it comes to threats to your digital devices and personal information. If you feel the need to increase your awareness, or that of friends and family members, ESET is offering some free online training sessions this month (sorry, only available to U.S. IP addresses),
But does security awareness training really help people protect their personal information and digital devices?
In a recent article about cybersecurity training and awareness I said, quite emphatically: Yes! In fact, one of my headings in the article said: More cyber-security training is needed, and needed now. However, because such training takes times and money, it is reasonable to ask for justification of this assertion, so today we look at some ESET survey results that might provide an answer.
When we designed our recent survey of consumers we were cognizant of the fact that some people just don’t think that security training makes much difference. So we asked people a couple of questions to assess their security-savvy. This is hard to do in a survey setting without coming off like a test, and most people don’t like to be tested. But we did determine how many people could tell the difference between phishing and other forms of potentially malicious activity.
We started by asking how many people had heard of phishing. The result was 83 percent. At first I was impressed by that number, which sounds good when you say that better than 4 out of 5 people using the Internet on a regular basis have heard of this type of attack.
Then again, phishing has been around for 10 years (the Anti-Phishing Working group was founded in 2003). So I worry about the 10 percent who said they have never heard of phishing (there were 7% who were not sure if they had heard of it). Furthermore, having heard of something and knowing what it is are two different things so we asked people to pick out a definition of phishing from among several different definitions of computer security phenomena. About two thirds of the people who had heard of phishing were able to do this, but when you look at those people as a percentage of the total respondents, we see that only 54 percent of our Internet users actually know what phishing is. Interestingly, the percentage of people in the entire sample who reported seeing a phishing attempt in one or more of their email accounts in the past 30 days was 51 percent, which says something about the prevalence of phishing.
We also asked survey respondents to rate the relative strength of a variety of passwords and again the results might be seen as encouraging at first blush. The random string of characters was clearly identified as strong by over 80 percent of respondents.
Unfortunately, the very weak password of 87654321 was thought to be strong by 20 percent. Arguably, that’s 1 in 5 people you don’t want on your network. Indeed, the problem with these results is that they are nowhere near as good as they could be, and leave plenty of room for malefactors to penetrate systems. Now it is possible to argue that these numbers are good, given the previously reported finding that only 32 percent of people have had any security training. Clearly there is some self-teaching going on (it is worth noting that we found a strong correlation between higher education levels and a correct identification of the phishing definition). In the case of passwords, many websites that require a password will give users tips on choosing strong passwords.
Nevertheless, we need to consider the implications of the very real possibility that similar gaps in security knowledge exist in areas we did not survey, like password protection of devices, use of unencrypted Wi-Fi hotspots, scanning USB flash drives for viruses, and response to software update notifications. I think it then becomes very hard to argue that we don’t need to provide computer users with security training.
ESET Security Expert