Business risks are unnecessarily high for organizations of all shapes and sizes due to poor practices around education and training of their personnel.
Yubico recently released a new report based on extensive research in this area. The researchers found that less than half (only 42%) of businesses it surveyed held frequent—and mandatory—cybersecurity training. That’s no required training for 58% of companies.
Of the top topics for education, the research team learned that password protection is woefully lacking. Roughly half (47%) of employees surveyed often write down or share their passwords—one of many behaviors that results in account compromise.
Additionally, Yubico found that many workers (one third of them) allow other people to use their work-issued devices. More than half of the employees (58%) also used personal devices for work purposes, which can easily lead to leakage of sensitive data and exposure of business credentials.
Similar to the percentage of users doing business on personal devices, 49% take care of personal activities on work equipment—which can also easily lead to system compromise. Lastly, almost half of respondents knew they had been exposed to a cyberattack such as phishing and did not reporting the incident to their IT and/or security teams.
On the business management side, “Very few” companies have implemented phishing-resistant security solutions or protocols in response to being targeted. Nearly one third (28%) only reacted to suspected compromises through phishing only by resetting the users’ passwords. Only a little more than a quarter (at 28%) of organizations required victims of phishing-related compromises to participate in supplementary security training.
Niall McConachie, regional director (UK & Ireland) at Yubico, opined that, “Cyber attacks, and how to prevent them, should be top of mind for every organization. However, our research reveals a remarkable disparity between the risks of cyber-attacks and businesses’ attitudes toward them.”
McConachie also advised that businesses should implement multi-factor authentication (MFA) immediately and consider using FIDO2 security keys. Such keys have been proven to be the most effective phishing-resistant option for business-wide cybersecurity, according to McConachie.
“By removing the reliance on passwords, MFA and strong 2FA are more user-friendly and can be used for both personal and professional data security.”
The report concluded with the sobering fact that one of the most used-used passwords, “123456,” is still in use today, despite being so commonly attempted in account compromise attempts.
An excellent way to assist your organization in educating users—especially about the dangers of phishing attacks—is to use our Webcheck Aware phishing simulation solution. Contact us today for a discussion of how our solution and services can help you meet your security needs.