While cyberattacks remain the no. 1 business risk in North America, only one in four employees are aware of the most common cyber security threats—including phishing attacks, ransomware, and impersonation—according to a Wednesday report from Mimecast.
The report surveyed more than 1,000 employees who operate company-issued devices to see how much employees know about cybersecurity risks, and how well businesses are addressing cybersecurity. With nearly 70% of employees using their company's devices for non-work-related activities, the threat vector is larger than some might think.
Respondents reported reading the news (53%), checking personal email (33%), and browsing social media (23%) as the top three personal use cases on company devices. Nearly 28% of employees reported using their devices for personal reasons for more than one hour a day, and one in 10 employees said they do so for more than four hours a day, according to the report.
Not only are employees wasting valuable work time and killing their productivity, but the personal use of corporate devices also opens the door for a slew of security concerns, the report found. And many employees don't understand the potential consequences of using work devices for personal means.
Nearly 60% of employees either aren't aware that their company has a formal policy on personal web use at work, or don't know that these policies exist in the first place, the report found. Only 45% of businesses currently provide mandatory formal cybersecurity training, even though human error is one of the most common causes of security problems.
Further, many companies rely on outdated, ineffective security practices, the report found, including emailed or printed lists of cybersecurity tips (33%), proactive prompts around safe and unsafe links (30%), and interactive videos (28%).
For organizations wanting to either refresh, improve, or begin better cybersecurity education practices, the report outlined the following three tips to get started:
1. Be persistent: A one and done approach isn't enough. It's important to keep reiterating to employees what they need to be aware of when it comes to cyber threats and best practices for spotting malicious messages, websites, etc. Don't try to get every bit of training out of the way in a single onboarding class or annual refresher session. Instead, teach in short bursts of no more than a few minutes.
2. Make it mandatory: Training should be provided at 30-day intervals. More importantly, after you train once or twice, don't stop there—make it a consistent, mandatory, company-wide practice.
3. Make it funny: The easiest way to lose your audience is by making the training boring, irrelevant, and worst of all, forgettable. Incorporating personalities, recurring characters and relatable content can go a long way toward the content having a lasting impact.For more tips on how to improve employee cybersecurity practices, click here.
The big takeaways for tech leaders:
- Nearly 70% of employees use their corporate devices for personal use, opening the threat vector for cybersecurity attacks. — Mimecast, 2018
- To protect companies, business leaders need to create a cybersecurity training that is persistent, mandatory, and funny. — Mimecast, 2018
- Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)
- Culture the missing link for cybersecurity's weakest link (ZDNet)
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Cross-site scripting attacks: A cheat sheet (TechRepublic)
- The role cybersecurity should play in 2019 IT budget planning (ZDNet)
- The secret to successful cybersecurity programs? Training and automation (TechRepublic)
Macy Bayern has nothing to disclose. She does not hold investments in the technology companies she covers.
Macy Bayern is an Associate Staff Writer for TechRepublic. A recent graduate from the University of Texas at Austin's Liberal Arts Honors Program, Macy covers tech news and trends.