People are often the first line in a company’s cybersecurity defences. We surveyed nearly 1,000 employees to find out how they keep themselves and their organisations safe.
In this article
Cyberattackers often use employees as a convenient entry point into a business. It can be easier to trick a person into handing over sensitive information than breaking into a network to steal it. As a result, organisations are paying increasing attention to the human side of cybersecurity.
To find out more, we surveyed 995 employees in the UK who had some knowledge of the cybersecurity tools in place at their company. In part one, we focussed on current and future threats to organisations such as ransomware attacks and phishing and the defences they use, including increasing levels of AI-powered software. In this article, we explore how hackers target individuals and the personal measures employees take to prevent attacks.
86% of respondents to our survey either had direct involvement in security decisions or full awareness of the solutions in place. 14% were only partially aware. In this article, we refer to these groups as ‘more cyber-aware’ and ‘less cyber-aware’ employees. You can scroll down to the bottom of the article for a full methodology.
42% of employees go beyond their company’s standard security practices
Even though their job title may not have security in it, every employee has a role to play as a gatekeeper to their company’s sensitive data. Attackers know that one compromised account can give them access to an entire network, so good organisational cybersecurity starts with the recognition of everyone’s personal responsibility. The employees in our survey showed relatively high awareness of this overall.
This is important because many also report that they have access to more data than they strictly need. While 61% say employees in their company can only get to the information they need to do their job, more than one-third have higher privileges.
The risk here for businesses is that it only takes one careless, compromised, or disgruntled employee to cause a data breach. By restricting employee access to a minimum, organisations can reduce the potential attack surface.
The good news is that awareness of the risks is high, at least according to employees themselves. 77% thought they had a good or very good awareness of cybersecurity risk and best practices within their company. Additionally, 42% said they apply some of their own personal security practices when using company devices, beyond what their company’s policies require. These included locking their screen, using a VPN, and using multi-factor authentication.
That said, a sizable proportion (38%) said they reuse passwords across multiple accounts. This is considered poor practice. If one password is compromised (e.g. if a website suffers a data breach and its user details get leaked) attackers can try that password on other sites and gain access to other accounts. In the past 12 months, 17% of the people in our survey said they had experienced an account takeover, where someone used a stolen username and password to gain access.
Most employees are confident in their company’s approach to cybersecurity
As a significant entry point for cyberattacks, IT users need to understand the risks involved and how their actions can help mitigate them. It’s important, therefore, for organisations to involve them in cybersecurity processes where possible. The majority of employees in our survey (78%) said that their company has procedures in place for reporting suspected cyberattacks, but a sizable proportion (11%) said they don’t know if this is the case.
As well as knowing the formal pathways to report incidents, employees in general also report that their companies have established plans to respond to incidents. 71% of employees said that an incident response plan is in place, but 16% weren’t sure.
Nearly half the respondents in our survey (46%) said they had raised cybersecurity concerns with their company's IT department in the past, and in most cases got a good response. IT departments tended to react by encouraging open communication, involving employees, and sharing information.
Perhaps as a result, satisfaction with corporate approaches to cybersecurity is high among the employees in our survey. 81% say they are ‘very’ or ‘quite’ confident that their company is taking cybersecurity seriously.
Tips to help employees engage with cybersecurity
There is always room for companies to involve staff more closely in cybersecurity, and employees themselves saw several ways their employers could do this.
- 57% wanted to see education and training. Companies may want to consider training software for this. As well as helping to deliver training material and assess employees understanding, these tools can help employers identify skills gaps across the organisation.
- 46% said that phishing simulations could help improve engagement. These involve sending safe messages that look like phishing attempts to help staff recognise these attacks in the future. Many security awareness training products include this feature.
- 39% would like to see clearer explanations of security policies and guidelines. Internal communications software can help employers share information on cybersecurity practices and contacts and maintain an open dialoge with staff. Policy management tools can also be used to build and share company policies internally.
If your business is struggling to raise awareness, employee engagement software is another option. This can help by streamlining communications between staff and management.
A trained workforce is a protected workforce
Almost all of the employees in our survey said they receive cybersecurity training of some kind, and many receive education in multiple areas. Data privacy is a major element of this, with 70% of employees having training in it. 65% also receive general cybersecurity training, and just under half have training about onsite safety and physical access.
Over three-quarters of the employees in our survey (76%), said they undergo security awareness training once a year or more. The Information Commissioner’s Office (ICO), which upholds information rights in the UK, has published guidelines about awareness and training. It doesn’t mandate specific training intervals, but expects employers to ‘regularly [use] a variety of appropriate methods to raise staff awareness’.
To ensure your employees are fully up to speed on your cybersecurity policies and practices, you could consider a learning management system (LMS). These tools allow organisations to design and deliver education programmes, track employees’ progress, and evaluate performance across the business.
This could also be particularly useful for engaging staff and encouraging talent from outside the organisation. In GetApp’s 2023 Career-Driven Learning in SMEs survey respondents tended to see learning and development opportunities as a reason to stay with a current employer, and many also saw it as a big incentive to apply for a position with a company. This in part is a response to a high interest in developing new skills due to AI’s growing use in business.
Our research indicates that people in UK businesses recognise their role in organisational cybersecurity, but there are areas where employers could do more to shore up their defences.
Restricting user access to just the data they need, improving two-way communication about security matters, and ensuring that formal training is in place can all help reduce risks and reinforce good practices.
The data for GetApp’s 2023 Data Security Survey was collected between November 10th and 26th 2023 and comprises answers from 995 respondents. We selected our survey sample based on the following criteria:
- UK resident
- Aged between 18-65 years-old
- Full-time employee
- Works for a company which uses cybersecurity software tools for protection and has some awareness of which tools are used