Survey Reveals Bad Cyber Hygiene and Poor Password Practices are Commonplace

Most Americans are confident about their knowledge of cybersecurity according to a recent AT&T survey of 2,000 Americans, yet bad cyber hygiene and poor password practices are still commonplace. The survey was conducted by OnePoll on behalf of AT&T and found that 70% of respondents felt they were knowledgeable about cybersecurity with 69% saying they were confident in their ability to be able to identify suspicious websites at a glance, yet the average person still lands on a suspicious online site or social media account 6.5 times a day.

When questioned about Internet use, only 39% of respondents said they knew that websites could spread malware to their computers and just 45% said they were aware that suspicious sites can lead to identity theft. 54% did not know the difference between an active threat – one that requires some user action – and an inactive threat – where a device is attacked without any user action.

Despite thinking they could identify suspicious websites, such as unverified sites, HTTP sites, and sites that have many pop-ups, the potential security risks from accessing those sites were often ignored. 38% of respondents said they visit those sites for streaming sporting events, 37% use the sites to download songs and video games that are hard to find, and 36% said they would visit those sites if they offered good discounts on purchases.

The risks from bad cybersecurity practices are not just theoretical. Poor cyber hygiene is exploited by threat actors and frequently allows accounts to be compromised. When asked about threat encounters, 45% of respondents said they had received a phone call from someone claiming to be from the government and 36% of respondents said they would respond to a communication if it appeared to have come from an official organization.

Please see the HIPAA Journal Privacy Policy

Less than 40% of people consider the security risks of accessing the Internet such as potential device or network intrusions, malicious apps, or malware downloads, and the number of respondents that take password security risks is concerning. One of the biggest password security mistakes is using the same password on multiple accounts. In the event of a data breach at one company in which passwords are obtained, a credential stuffing attack could be conducted that would allow access to all other accounts where that password has been used. 42% of respondents said they reuse passwords across multiple accounts.

The best practice for creating passwords is to use a combination of upper and lower-case letters, numbers, and symbols, and to avoid using personal information in passwords. 31% of respondents admitted to using a birthday as their password, even though that information will be known to many people and can even be found on social media profiles. The survey also revealed that 34% of people are reactive rather than proactive about password security, and would only change a password if they received a security alert about an attempt that had been made to access their account from an unrecognized IP address. These bad password practices persist even though most people claim to be knowledgeable about cybersecurity, and password managers are widely available for free or at a low cost that can greatly improve password security.

These bad cyber practices should be a cause of concern for employers. If individuals are lax about personal security despite knowing the risks of identity theft and fraud, it is likely that those poor practices might also occur in the workplace. Employers should ensure they provide regular security awareness training to explain to their employees how taking risks such as these can put the organization at risk.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.