Employers overestimate staff cyber smarts

A good illustration, this time from New Zealand, of the the three-way cognitive dissonance around cyber security and employees. Infosec teams tend to assume all ‘users’ are dumb and need controls to stop them doing dumb things; HR and other senior management place trust in security training and awareness programs to improve cyber hygiene; employees see training and awareness as an inconvenience which doesn’t change behaviour.

We started working with a behavioural science-based company, OutThink, to try to take a different approach…:

New research has revealed a big difference between how employees and IT decision makers view cyber security.

The research from Kordia, commissioned by Aura Information Security, found staff are not as secure as their IT managers may think.

“The ‘human factor’ has long been a weak link when it comes to cyber security,” Kordia says.

“Businesses can have the best protection available, but if a staff member unknowingly lets a cybercriminal into the system, then it won’t matter.”

While 62% of New Zealand businesses say they carry out security training exercises with their staff, only 37% of Kiwis say they have received training on good cyber security practices, the research says.

This disconnect is further emphasised by password practice. Most IT managers encourage all staff to use a password manager to ensure the most common password mistakes aren’t made. However, it doesn’t appear staff are taking this advice with one third of employees admitting to reusing the same passwords across both work and personal devices and accounts.

[…]

Original article