em360tech image

Over half (55%) of cybersecurity professionals have admitted to engaging in risky cybersecurity behaviours while at work.

This is according to a survey conducted at Infosecurity Europe 2023 (20 - 22 June) among 220 cybersecurity professionals on behalf of KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform.

Indeed, one in every three respondents (33%) admitted to using entertainment or streaming services. This was followed by sharing personal information (15%), signing up to too many email subscriptions (15%) and opening malicious email attachments (13%).

Other activities included:

  • Downloading malicious applications (9%)
  • Using gaming/gambling websites (8%)
  • Using unauthorised removable media like USBs (8%)
  • Using unauthorised cloud backup or storage for work documents (8%)
  • Using adult entertainment websites (3%)

Equally concerning, 80% of cybersecurity professionals have observed users within their organisations participating in the same behaviours. Over half (52%) have seen colleagues use entertainment or streaming services, 43% have spotted them opening malicious email attachments and 42% have caught their co-workers sharing personal information.

In addition to this, they also noted colleagues doing the following:

  • Signing up to too many email subscriptions (33%)
  • Using unauthorised removable media like USBs (31%)
  • Downloading malicious applications (30%)
  • Using unauthorised cloud backup or storage for work documents (29%)
  • Using gaming/gambling websites (28%)
  • Using adult entertainment websites (19%)

KnowBe4 has collected data from its SecurityCoach real-time coaching tool that identifies and analyses risks stemming from work-related behaviours. It found these activities as the top precursors to an attack or breach. Therefore, the fact that so many profess to engage in these activities at work means an introduction of risk that can range from social engineering and phishing to downloading malware and scams. 

Remarkably, over a quarter (26%) found that, in their experience, individuals from marketing/sales were the most likely culprit of these unsafe behaviours. Individuals from the C-suite and IT department also made the top 3 at 17% and 11%, respectively.

Nearly half (49%) of respondents believe people exhibit these behaviours because they are not aware of the problem; while 36% claim that users are aware but do not care. 

“The findings of this study demonstrate not only a need for regular security awareness training, but of cultivating a strong security culture. This means going beyond educating staff on threats, how to respond and teaching them to identify how they can help prevent them,” said Javvad Malik, lead security awareness advocate at KnowBe4. 

“Creating a security culture requires a shift in attitude, behaviour, perception of responsibility and overall organisational norms, so that best practices are embedded into everyday operations and thinking. Cybersecurity should be recognised company-wide as a priority. If this is successfully achieved, users will be more mindful about what they do, and take the time they need to respond appropriately to potential threats.”