While cyberattacks remain the no. 1 business risk in North America, only one in four employees are aware of the most common cyber security threats–including phishing attacks, ransomware, and impersonation–according to a Wednesday report from Mimecast.

The report surveyed more than 1,000 employees who operate company-issued devices to see how much employees know about cybersecurity risks, and how well businesses are addressing cybersecurity. With nearly 70% of employees using their company’s devices for non-work-related activities, the threat vector is larger than some might think.

SEE: 2018 Cyberwar and the future of Cybersecurity Report: Weakest links, international concerns, and prevention (Tech Pro Research)

Respondents reported reading the news (53%), checking personal email (33%), and browsing social media (23%) as the top three personal use cases on company devices. Nearly 28% of employees reported using their devices for personal reasons for more than one hour a day, and one in 10 employees said they do so for more than four hours a day, according to the report.

Not only are employees wasting valuable work time and killing their productivity, but the personal use of corporate devices also opens the door for a slew of security concerns, the report found. And many employees don’t understand the potential consequences of using work devices for personal means.

Nearly 60% of employees either aren’t aware that their company has a formal policy on personal web use at work, or don’t know that these policies exist in the first place, the report found. Only 45% of businesses currently provide mandatory formal cybersecurity training, even though human error is one of the most common causes of security problems.

Further, many companies rely on outdated, ineffective security practices, the report found, including emailed or printed lists of cybersecurity tips (33%), proactive prompts around safe and unsafe links (30%), and interactive videos (28%).

For organizations wanting to either refresh, improve, or begin better cybersecurity education practices, the report outlined the following three tips to get started:

1. Be persistent: A one and done approach isn’t enough. It’s important to keep reiterating to employees what they need to be aware of when it comes to cyber threats and best practices for spotting malicious messages, websites, etc. Don’t try to get every bit of training out of the way in a single onboarding class or annual refresher session. Instead, teach in short bursts of no more than a few minutes.

2. Make it mandatory: Training should be provided at 30-day intervals. More importantly, after you train once or twice, don’t stop there–make it a consistent, mandatory, company-wide practice.

3. Make it funny: The easiest way to lose your audience is by making the training boring, irrelevant, and worst of all, forgettable. Incorporating personalities, recurring characters and relatable content can go a long way toward the content having a lasting impact.For more tips on how to improve employee cybersecurity practices, click here.

The big takeaways for tech leaders:

  • Nearly 70% of employees use their corporate devices for personal use, opening the threat vector for cybersecurity attacks. — Mimecast, 2018
  • To protect companies, business leaders need to create a cybersecurity training that is persistent, mandatory, and funny. — Mimecast, 2018