CISOs have enough on their shoulders trying to oversee enterprise strategy on protecting the network, data and making staff security-aware without having find time and resources to educate customers. It would help ease that load if those outsiders have secure PCs and mobile devices before trying to access the network.
However, a new global survey of consumer cyber security awareness shows that’s still an uphill battle, despite millions in marketing from governments and companies selling security solutions.
According to the annual Norton Cyber Insights Report from Symantec, 59 per cent of Canadian consumers surveyed claim they use a secure password for every account — however one in four admitted sharing these passwords with others. Those others could be family members, but it is risky.
“Our findings show that consumers are growing increasingly aware of the need to protect their personal information online,” says the report. “Unfortunately, many consumers are not motivated to take even simple steps to stay safe online. As hackers continue to hone their skills and adapt their scams to take advantage of people, it’s important for them to take action to protect themselves.”
Consumers “remain complacent about protecting their personal information. While there are people who understand that cybercrime is an inevitable circumstance of living in a connected world, human nature is still at play when it comes to dealing with cyber security. Even past victims of cybercrime sometimes fall back into old habits.”
The company surveyed 20,907 consumers in 21 countries online, including Canada and the U.S.
Among the findings:
–62 per cent of respondents believe — despite news reports about problem Internet of Things devices including cars — that connected home devices were designed with online security in mind. I’d agree that many devices ARE designed with security — however, there’s evidence the security controls may be weak. Take, for example, this recent story about connected light fixtures;
— 71 per cent of respondents say public Wi-Fi is useful for checking emails, sending documents and logging into accounts on the go. Risky? Yes, depending on user practices. I’d argue that’s less of a problem if the device has two-factor authentication, but it could be a big problem if the user opens attachments. Doing financial transactions on an unsecured Wi-Fi network is risky, and the user is really relying on the financial institution’s security infrastructure;
–Here’s conflicting numbers: 70 per cent of respondents wish they could make their home Wi-Fi network more secure. Meanwhile only 27 per cent believe it is likely their home Wi-Fi network could be compromised;
–The report didn’t detail how but found nearly three in 10 surveyed cannot detect a phishing attack, and another 13 per cent have to guess between a real message and a phishing email.
The survey does raise the question of who is responsible for educating consumers on cyber security best practices? “We’ve seen in research in Canada but also the U.S. and U.K. that education of the user comes back time and time again” as a factor in improving enterprise security, Satyamoorthy Kabilan, the Conference Board of Canada’s director of national security and strategic foresight. “In fact there are those who speculate that getting that right would reduce a lot of the problems we seek.”
But, he said, for infosec pros pinpointing responsibility is like the dilemma of a manufacturer selling a chainsaw: Regulations may mandate safety mechanisms into the device’s design, but the manufacturer isn’t expected to teach every buyer how to safely use it. “At the end of the day it really down to the user to understand what some of the challenges are in the equipment they buy. Is that easy? No. Is it ideal? Probably not. It’s a hard balance to strike.”
The survey results aren’t entirely discouraging. Increasingly people are becoming more aware of cyber security, particularly in Western nations. However, the message isn’t getting through to a lot. Part of the solution is regular security awareness training in the workplace. If all organizations do it when employees go home they will use safe online practices there as well. Security vendor marketing will help, as will government efforts like the just-completed annual cyber security awareness month.
But it’s still an uphill battle.
The report is available here. Registration is required.
