70% of Employees Lack Privacy and Security Awareness

When it comes to privacy and security awareness, many U.S. workers still have a lot to learn. Best practices for privacy and security are still not well understood by 70% of U.S. employees, according to a recent study by MediaPro, a provider of privacy and security awareness training.

For the study, MediaPro surveyed 1,012 U.S. employees and asked them a range of questions to determine their understanding of privacy and security, whether they followed industry best practices, and to find out what types of risky behaviors they engage in. 19.7% of respondents came from the healthcare industry – the best represented industry in the study.

Respondents were rated on their overall privacy and security awareness scores, being categorized as a hero, novice, or a risk to their organization. 70% of respondents were categorized as a novice or risk. Last year when the study was conducted, 88% of U.S. workers were rated as a novice or risk.

Last year, only 12% of respondents ranked as a hero. This year the percentage increased to 30% – A good sign that some employees have responded to training and are taking more care at work. Worryingly, while the percentage of novices fell from 72% last year to 51% in 2017, the number of individuals classed as a risk increased from 16% in 2016 to 19% this year.

Tom Pendergast, chief strategist for security, privacy, and compliance at MediaPro explained that in the risk category, there are two areas that have been consistently poor over the past two years: Physical security and safe remote working/mobile computing. In the latter category, one of the biggest risks was connecting to insecure Wi-Fi networks. The percentage of respondents that admitted doing this jumped from 45% last year to 62.3% this year – Overall, 19% of respondents admitted to risky practices when working remotely.

The overall scores across six of the eight categories being tested improved year over year, with notable improvements in identifying malware and phishing threats, reporting incidents, working remotely, identifying personal information, and cloud computing.

The two areas where there was decline were physical security – such as allowing individuals into a facility without checking identification – and social media security  – such as posting personal and sensitive company information on social media accounts.

Perhaps the biggest risk faced by organizations today is phishing. Phishing emails are the primary method of delivering malware and ransomware and obtaining sensitive information such as login credentials.

Respondents were tested on their phishing awareness and were presented with four emails, which they were asked to rate as legitimate or phishy. 8% of respondents were unable to identify the phishing emails correctly. Out of the phishing emails tested, the email offering a stock tip from a well-known investor fooled the highest number of respondents. 92% of respondents were able to identify a phishing email with a potentially malicious attachment, up from 75% last year.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.