Public response and implementation of known cybersecurity best practices, including strong passwords, multi-factor authentication (MFA) and others, are lukewarm at best, according to a report from the National Cyber Security Alliance and CybSafe.
The survey of 2,000 people in the US and UK found that less than half (46%) of respondents say they use a different password for important online accounts, and 20% say that they do it “never” or “rarely”.
In addition, the survey found that nearly half (48%) of those polled say they have ‘never heard of AMF’, indicating that there is a clear disconnect between the tech industry and the public. when it comes to fostering the adoption of best cybersecurity practices.
“First of all, we have to consider how nuanced the term ‘multi-factor authentication’ is,” said Lisa Plaggemier, acting executive director of the National Cybersecurity Alliance. “If this term were a little more user-friendly, it might be less intimidating and somewhat confusing for end users, and more of them would adopt it.”
She explained that organizations like hers are working to empower and educate everyone to understand what terms like multi-factor authentication mean and how these technologies can keep users safe online.
“All businesses should embrace multi-factor authentication to protect sensitive employee and customer accounts and data,” she added. “Since the study reveals that many people still don’t know what MFA is, it is up to the security teams in these organizations to help employees use MFA and do their part to keep it safe. of all. “
Despite the perception that older people are more likely to be exposed to cybercriminals and their tactics, research has found that younger generations are much more likely to recognize that they have been victims of cybercrime: millennials (44% ) and Gen Z (51%) are more likely to say they have experienced a cybersecurity threat than Baby Boomers (21%).
Lack of access to cybersecurity training
The report also found that 64% of those surveyed do not have access to cybersecurity training, while more than a quarter (27%) of those who have access choose not to use it.
Plaggemier said a lack of access to cybersecurity training means that in general, the majority of employers and tech makers don’t provide people with the tools and knowledge they need to identify, avoid and report. cybersecurity threats.
“But to be successful in tackling cybersecurity threats does not rely solely on training,” she said. “In fact, the study showed that although people had access to the training, some felt that they did not have the learning opportunity. “
As such, the gap between knowing and doing is still large when it comes to putting into practice what one has learned from cybersecurity training.
“It takes motivation and opportunities as well as knowledge to get people to adopt better cybersecurity practices,” Paggemier said.
She noted that private companies, especially those creating cybersecurity products, must also do their part to ensure that their users clearly understand how to use their software and why regular updates are so essential to keep them safe. in line.
“We see from the research that people want to put safety first; it is important to them. But, because they’re often intimidated by the topic or find it confusing or time consuming, they give up, ”Paggemier said. She proposed that as an industry, leaders should facilitate safety, adding that if this awareness starts earlier, such as teaching students good cybersecurity hygiene in schools, it will be more familiar to them throughout their career. life.
This could mean that the basics like using password managers, MFA authentication, and updating security software would be a given.
“Organizations like ours want to make sure everyone has the resources they need to be safer and more secure online and to fulfill their cybersecurity role,” said Paggemier. “We emphasize personal responsibility and the importance of taking proactive steps to improve security in our increasingly connected world. “
Challenges of cybersecurity and cybercrime
The study also indicated that it is difficult to get victims of cybercrime to report incidents, which have helped undermine cybersecurity.
While more than a third (34%) of individuals said they had personally been the victim of a cybersecurity breach, 61% said they did not report the incident. In addition, only 22% of those surveyed said they always reported a phishing attempt, one of the main types of threats deployed by cybercriminals.
Paggemier said cybercrime reporting rates could increase if the stigma surrounding being a victim of cybercrime is removed and making reporting easier. Indeed, respondents to the study indicated that they “do not believe that the authorities care enough to act on the basis of the information” or said that “nothing happens” when they report a problem. incident.
“As such, many don’t think it’s worth reporting, while others don’t just because they don’t think they’re at risk,” she said. “If we embrace a ‘see something, say something’ culture, we can have a more positive impact on the whole industry.