Public response to and implementation of commonly known best practices for cybersecurity, including strong passwords, multifactor authentication (MFA) and others are tepid at best, according to a report from the National Cybersecurity Alliance and CybSafe.
The survey of 2,000 individuals across the U.S. and UK found less than half (46%) of respondents say they use a different password for important online accounts, with 20% saying that they “never” or “rarely” do so.
A Clear Disconnect
In addition, the survey found nearly half (48%) of respondents say they have “never heard of MFA”, indicating there is a clear disconnect between the technology industry and the public when it comes to driving the adoption of cybersecurity best practices.
“First, we have to consider how nuanced of a term ‘multifactor authentication’ is,” explained Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance. “If this term was a bit more user-friendly, it may be less intimidating and somewhat confusing to end users, and more of them would adopt it.”
She explained that organizations like hers are working to empower and educate everyone to understand what terms like multifactor authentication mean and how these technologies can keep users safe online.
“All businesses should be adopting multifactor authentication to safeguard employees’ and customers’ accounts and sensitive data,” she added. “Since the study uncovers that many people still don’t know what MFA is, it’s up to the security teams at these organizations to help employees utilize MFA and do their part to keep everyone safe.”
Despite the perception that older individuals are more likely to be susceptible to cybercriminals and their tactics, the research uncovered that younger generations are far more likely to recognize that they have been a victim of cybercrime—millennials (44%) and Gen Z (51%) are more likely to say they have experienced a cybersecurity threat than baby boomers (21%).
Lack of Access to Cybersecurity Training
The report also revealed 64% of respondents have no access to cybersecurity training, while more than a quarter (27%) of those who do have access choose not to use it.
Plaggemier said a lack of access to cybersecurity training means that, in general, the majority of employers and technology manufacturers are failing to equip people with the tools and knowledge they need to identify, avoid and report cybersecurity threats.
“But to be successful at combating cybersecurity threats doesn’t solely rely on training,” she said. “In fact, the study showed that even though people had access to training, some felt they did not benefit from the learning opportunity.”
As such, the gap between knowing and doing is still wide when it comes to putting into practice what’s learned from cybersecurity training.
“It takes motivation and opportunity along with the knowledge to get people to adopt better cybersecurity practices,” Plaggemier said.
She noted private enterprises—especially those who create cybersecurity products—need to also do their part to ensure their users have a clear understanding of how to use their software and why regular updates are so critical in keeping them safe online.
“We see from the research that people want to prioritize security; it’s important to them. But, because they’re often intimidated by the topic or find it confusing or time-consuming, they give up,” Plaggemier said. She proposed that as an industry, leaders need to make staying secure easier, adding that if this outreach starts earlier—like teaching students good cybersecurity hygiene in schools—it would be more familiar to them throughout their lives.
That could mean that basics like using password managers, MFA and updating security software would be no-brainers.
“Organizations such as ours want to ensure that everyone has the resources they need to be safer and more secure online and own their role in cybersecurity,” Plaggemier said. “We stress personal accountability and the importance of taking proactive steps to enhance security in our increasingly connected world.”
Cybersecurity and Cybercrime Challenges
The study also indicated that there are challenges to getting victims of cybercrime to report the incidents, which served to undermine cybersecurity.
While more than a third (34%) of individuals said they have personally been a victim of a cybersecurity breach, 61% said that they did not report the incident. Furthermore, only 22% of respondents said that they always reported a phishing attempt—one of the leading threat types deployed by cybercriminals.
Plaggemier said cybercrime reporting rates could increase if the stigma around being a victim of a cybercrime is removed, and by making it easier to report. Indeed, respondents of the study noted they “don’t believe the authorities care enough to act on the information” or stated that “nothing happens” when they do report an incident.
“As such, many don’t believe it’s worth reporting while others don’t report simply because they don’t believe they have anything at risk,” she said. “If we adopt a ‘see something, say something’ culture, we can have a more positive impact on the industry overall.”