In the brisk air of early autumn, optimism fills our hearts as we celebrate the 20th anniversary of Cybersecurity Awareness Month, an annual event dedicated to fostering a deeper understanding of cybersecurity and inspiring behavior change.
Two decades ago, the prevailing belief among security professionals was that raising awareness alone could lead to secure online behaviors. But in 2023, we’ve learned that hope is not a strategy. Today, armed with evidence and guided by behavioral science, we understand that cybersecurity demands more than awareness—it requires a profound shift in behavior.
The 2023 Annual Cybersecurity Attitudes and Behaviors Report marks a significant milestone. The report surveyed over 6,000 individuals across six nations to gain comprehensive insights into their cybersecurity knowledge, behaviors, and challenges.
Revelations from the survey are eye-opening. While awareness of cybersecurity risks has grown, many individuals still fall short when implementing essential security measures. For instance, only 60% employ strong passwords, and 40% use multi-factor authentication.
But there’s hope. The report not only highlights challenges but also offers actionable recommendations for both individuals and organizations. We can work together to create a safer digital world by understanding the why and how of behavioral change.
Join us on this journey into behavioral science as we dissect the report’s findings and unravel the secrets to better cybersecurity practices.
This third annual report is breaking new ground by expanding the scope and enhancing its research methods. With over 6,000 participants from six nations and a focus on diverse cybersecurity aspects, this report offers fresh insights. Refined questions, added qualitative inquiries, and strategically targeted employed participants, all to provide a comprehensive view of cybersecurity attitudes and behaviors.
Online activity is growing
The digital landscape continues to expand at an astonishing rate, with a remarkable 93% of the participants indicating daily online activity. 7% of individuals reported connecting to the Internet less than once a day. Our lives are increasingly intertwined with the online realm as we maintain numerous accounts spanning various websites and applications, some of which house our sensitive personal data.
The revelation is striking: nearly half of the participants, a substantial 47%, manage ten or more sensitive online accounts, including those tied to payments and primary email. Even more astonishing, 15% of respondents candidly confessed that they’ve lost track of the sheer number of such accounts in their digital portfolio.
This profound digital presence underscores the importance of cybersecurity vigilance. As our online footprints expand, so do the opportunities for cyber threats, making it imperative for individuals and organizations to remain acutely aware of the evolving cybersecurity landscape.
But security is a big concern
While attitudes toward online security are generally positive, a significant portion of participants express frustration and doubt. Impressively, 84% view security as a priority, and 69% believe it’s attainable. However, not everyone sails smoothly on the sea of online security. A substantial 39% find themselves frustrated, while 37% admit feeling intimidated by the challenges of staying secure online.
For some, the abundance of cybersecurity information becomes overwhelming, leading 32% to scale back their online activities. Furthermore, security often comes at a cost, with nearly half of respondents (49%) acknowledging the financial implications of protective actions.
Interestingly, 69% consider the effort invested in online security worthwhile. Nevertheless, younger generations, such as Gen Z (21%) and Millennials (23%), express more skepticism about the return on investment compared to Baby Boomers (6%) and the Silent Generation (9%).
Media coverage plays a pivotal role, motivating 56% of participants to take protective security measures, while 51% find it valuable for staying informed. However, it’s not all positive, as 44% of respondents admit that media coverage can evoke fear, and 42% believe it overly complicates online security.
As we delve deeper into cybersecurity training, a mere 26% report access to such training, while a surprising two-thirds (64%) have no access at all. These findings highlight the complex landscape of online security perceptions and the challenges individuals face in navigating it.
Cybersecurity training is crucial
In the ever-evolving landscape of cybersecurity, training emerges as a vital cornerstone. However, the training terrain is uneven. Surprisingly, just over a quarter of participants (26%) reported having access to and utilizing cybersecurity training. Alarmingly, a staggering two-thirds (64%) of individuals noted a glaring absence of any training opportunities.
Who gets the privilege of training? Primarily, those in employment (47%) or engaged in studies (49%) tend to have better access. Nonetheless, a significant portion, 53%, of the employed still find themselves without training access.
Regarding learning preferences, online training courses take the lead, preferred by almost half (47%) of employed participants, surpassing in-person training (24%). Interestingly, there’s a growing affinity for nudges and alerts, with nearly a fifth (19%) expressing a preference for just-in-time alerts and notifications.
The impact of cybersecurity training is substantial. Most find it useful (84%) and engaging (78%). 79% of participants have implemented the cybersecurity advice they received. Remarkably, just 6% reported no changes in their cybersecurity behaviors, while 15% believed they already adhered to best practices. Notably, training has yielded tangible results, with 50% feeling more adept at recognizing and reporting phishing messages, 37% adopting strong and unique passwords, and 34% embracing multi-factor authentication.
And so is reporting
The importance of cybercrime reporting is on the rise, shedding light on the incidents and their impact. Participants bravely shared their experiences, disclosing 2,047 incidents resulting in financial losses or data breaches. These incidents encompassed phishing attacks, identity theft, and even online dating scams.
27% of respondents admitted falling victim to at least one form of cybercrime. While this marks a 7% decrease from the previous year, it is concerning that 50% of participants perceive themselves as potential targets for cybercriminals, indicating a 7% increase in such concerns.
Phishing emerges as the star of the cybercrime show, constituting 47% of total incidents. Surprisingly, online dating scams (27%) have surpassed identity theft (26%) compared to last year.
Millennials find themselves in the cybercrime spotlight, leading the pack with incidents, particularly online dating scams (44%), followed closely by phishing (36%) and identity theft (37%).
On a positive note, 88% of those affected by cybercrime reported their experiences to someone. Reporting rates remained favorable across all crime types, with only a small fraction of incidents leading to data or money loss going unreported: 14% for phishing, 16% for online dating scams, and 8% for identity theft.
The type of crime influenced reporting channels, with 59% of phishing victims reporting the incident to their bank or credit card company, 54% of identity theft victims, and 42% of online dating scam victims. These trends in reporting reflect a growing awareness of the importance of sharing cybercrime experiences.
Staying safe online requires a few easy steps
We’ve delved deep into cybersecurity behavior, uncovering five key practices that make a difference (yet respondents are drastically overlooking):
1. Password Hygiene:
- Over a third change passwords only when necessary.
- Almost half create passwords on their own.
- Younger generations often update passwords minimally.
2. Managing Passwords:
- More than half have never used a password manager.
- Many prefer writing down passwords or relying on memory.
3. Multi-Factor Authentication (MFA):
- Nearly one-third haven’t heard of MFA.
- Awareness varies across generations.
4. Software Updates:
- Most keep devices updated, but some lag behind.
5. Data Backup:
6. Recognizing and Reporting Phishing:
- While most check for phishing, some struggle to spot it.
- Reporting phishing varies among participants.
As we wrap up this journey into cybersecurity behavior, remember that the adventure continues. Want to delve even deeper into the minds of technology users and learn how to learn from others’ mistakes? Read the extensive Annual Cybersecurity Attitudes and Behaviors Report 2023.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.