One-in-three employees who know their password is compromised still won’t change it

I’ve reached that stage of disillusionment about end user security where I’ve stopped blaming individuals for bad cyber hygiene and instead blame the infosec world for not adapting to the average Joe/Josephine’s inability or motivation to adopt basic security practises. We might insist on annual training sessions, send round ‘name & shame’ phishing tests, and run awareness months but it doesn’t seem to move the dial…:

One-in-three Australian workers who admit to having enabled data breaches are still unwilling to change their already compromised passwords, a new study reveals.

Human error has always been a security risk, but according to cyber security firm Webroot’s latest report, office culture might present a larger issue when it comes to maintaining cyber health.

Over half of the 4000 surveyed workers have compromised personal and financial data by clicking on links from unknown senders. The report shows this behaviour isn’t a one-off either — these employees clicked on risky links multiple times.

Of this group, over a third were so apathetic, and didn’t bother to change their passwords after the breach.

And although 90% of employees consider themselves able to distinguish real emails from their phishing counterparts, 60% will click on links from unknown senders anyway.

[…]

Original article here