Despite being the first line of defense against cyberattacks, many employees say they have never received any cybersecurity training from their employers.
A KnowBe4 report based on a survey of 2,000 workers says that almost a fifth (18%) have never received any cybersecurity training from their employers.
Furthermore, 51% have not received training on how to avoid phishing scams, possibly the most widespread cybercriminal activity in the world. Finally, almost half (48%) have never received training on how to create secure passwords.
Shared responsibility
Other cybersecurity practices that employees have not yet been trained on include:
Remote work best practices (60%)
What to do if your credentials have been compromised (66%)
Social engineering (82%)
Deepfakes and AI (83%)
Bring your own device (84%)
While hardware and software vulnerabilities, both zero-day and otherwise, are a huge risk to organizations, most cyberattacks start with human error. Sometimes it’s an unprotected database, sometimes it’s a person inadvertently clicking on a link in a phishing email or downloading malware in an attachment, and sometimes it’s a weak password that hackers can easily crack with brute-force attacks and credential theft.
“The technological landscape is constantly changing, so failing to include training in new areas such as deepfakes and AI could put UK organisations at greater risk of cybercrime,” said Javvad Malik, senior security awareness advocate at KnowBe4.
When a company offers advice, nearly three-quarters of employees say they follow it; however, 29% admitted they simply forgot about it. Additionally, 22% believe cybersecurity advice is too complicated to follow and 14% believe cybersecurity is not their responsibility.