Oh, Behave! Report 2023: Cybersecurity Progress is Being Made, But There Is a Long Way to Go

Written by

As November begins and Cybersecurity Awareness Month ends for another year, we have heard many meaningful expert discussions getting into the fine details of the people, process, and technology (PPT) framework. From Generative AI and DMARC standards to password protection and phishing, the cyber industry is buzzing with ideas on how to combat the ever-growing threat of increasingly savvy cybercriminals. And while it’s crucial to look to the experts for guidance, it’s also important to meet the general public where they are. So, how exactly do people feel about cybersecurity in 2023?

October saw the release of CybSafe and the National Cybersecurity Alliance’s annual Oh Behave report. This was a deep-dive looking into the security behaviors of over 6000 individuals across six countries and three continents, to better understand how the general public feels and acts when it comes to cybersecurity – at work, at home and school. 

Key Findings

There are a few interesting themes that emerged in this year’s research.

Firstly, the good news. We are making some important collective progress. Attitudes towards online security remain high, with 84% of people considering it a priority. Almost one in five people are saving passwords in their browser or a password manager, an 8% increase from last year. Furthermore, we are becoming more familiar with tools like multi-factor authentication. A fantastic 70% had heard of the technology, and 67% of those users knew both how the technology worked and used it regularly.

These incremental improvements are showing across several processes, from recognizing and reporting phishing to lengthening passwords and beyond.

It hasn’t all been good news, however. The research confirmed the vast majority of cybersecurity training occurs through work or education; however, even in these settings, the access figures remain low at 47% and 49% of people receiving training, respectively. Access to training for those who are retired sat at a measly 8% and just under double that (15%) for those who are not in active employment. So, it is clear that while the workplace and education centers are effective vehicles for improving cyber awareness, a significant amount of the population still has little access to training at all.

The lack of personal desire to seek out training was evident in general opinion, too, with around half (49%) seeing online security as an expensive endeavor.

A Surprising Generational Trend

Perhaps the most interesting insight of this year’s report is the differing attitudes towards online security among different generations.

Through work and education, there is no doubt that younger generations have much better access to training and cybersecurity tools than older generations. Furthermore, as the people more likely to grow up with devices as a permanent fixture, one would expect them to be more optimistic and less victimized by scammers.

Surprisingly, this has not been the case.

When discussing the statement “I feel that staying secure online is a priority,” the younger the respondent, the more likely they were to disagree. While 94% of the Silent Generation and 91% of Baby Boomers agreed with the statement, only 82% of millennials and a surprising 69% of Gen Z agreed. Similarly, Gen Z was the generation least likely to agree with the statement that staying secure online is ‘worth the effort,’ with just over half (52%) agreeing.

This reality is reflected in the victimization figures. Of all the survey respondents, millennials were most likely to be the victims of phishing, online dating scams and identity theft.

These surprising trends almost suggest a sense of learned helplessness among younger generations. Gen Z was least likely to agree that feeling secure online is achievable (59%) and also the least likely to agree that staying secure online is under their control (44%). As our information becomes increasingly public through the likes of data sharing and social media, the seemingly universal accessibility of our data is having an impact on how we view our security.

What Does This Mean for Businesses and Organizations?

According to the World Economic Forum, Gen Z will make up over 25% of the workforce by 2025. With the above findings suggesting attitudes towards the importance of cybersecurity are going in the wrong direction, what do businesses need to know moving forward to counter that trend?

One encouraging element of the research findings is that while younger generations are more pessimistic about their chances of remaining secure online, they do have an awareness of the tools and technology that help them to remain secure.

The research also suggests that employment is a main driver of training and awareness. However, there is less of a consensus on the most effective way to deliver training. While almost half of the employed respondents preferred online training courses, a quarter (24%) preferred in-person sessions, while around one in five (19%) preferred guidance through notifications and alerts at the time of need – an increasingly popular form of behavioral intervention.

When it comes to the reasons that workers aren’t participating in the training assigned to them, answers also differ. By far, the most common reason for skipping cyber training is a lack of time, with 29% of participants struggling to fit their training in. Other common explanations are employees believing they won’t gain anything (12%) or already know enough about cybersecurity (18%) to avoid training. Additionally, 16% suggested that training will not reduce their chances of becoming a victim.

What Can be Done?

In order to develop cyber skills within the workforce, leaders need to tailor training around what works for their business. At the end of the day, it’s important to go beyond ticking the compliance box and move towards a system that genuinely engages workers.

The research suggests that employers providing training are increasingly adopting a more regular approach. Next, they will need to focus on maximizing the effectiveness of that training. Would uptake be better on Microsoft Teams or Slack? Is a mix of communication channels more impactful? How regular should training be, and should it be in one sitting or in more manageable, bite-size chunks?

Crucially, it is about going beyond the what to figure out the how, where, and why. By fostering a culture in which employees are aware of the risks associated with breaches and are comfortable raising concerns, weaknesses, and what works for them, leaders can develop a knowledge base and an atmosphere that protects employees and their employers alike.

What’s hot on Infosecurity Magazine?