Cybersecurity: Research Reveals 79% of Employees Engaged in Risky Behavior

Cybersecurity: Research Reveals 79% of Employees Engaged in Risky Behavior

If you are an IT manager looking for information to present to your bosses to emphasize the need for an effective cybersecurity training program, new data from a 2021 research study might be just what you need.

Security services provider Thycotic published the survey results in a report entitled “Balancing Risk, Productivity, and Security.” The firm partnered with SAPIO Research to conduct a survey of 8,041 workers in 15 countries. The results are surprising, if not shocking, and offer several reasons for concern.

What researchers learned

The survey revealed that, although more than 85% of those polled said they felt some responsibility for ensuring that they don’t do things that could expose their organizations to increased risk, 51% of respondents believed their IT departments should be completely responsible for preventing their employers from falling victim to cyber-attacks. Many in the IT business have been a bit irritated by this mindset before, but most probably hadn’t imagined this number would be so high.

Nearly half of respondents (45%) believed cyber attacks posed little or no risk to their organizations. Perhaps that’s why, according to the Thycotic report, 79% of survey participants admitted to having engaged in at least one risky activity within the previous year. The activities included sharing their login credentials with coworkers, using personal devices at work without authorization, using the same password for multiple accounts, and even permitting their company devices to be used by family members.

Why is this happening, and what’s the reason for the lack of cybersecurity concern? Per the survey, a shockingly high 56% of respondents said they had received no cybersecurity training within the previous year. They simply don’t know they should be concerned. They’re not told that their behaviors can create significant risks for their employers or that the IT department can’t stop every attack. Because phishing is and has been for some time, the most utilized attack vector (see Verizon’s Data Breach Investigations Report at verizon.com/business/resources/reports/dbir/), the best defense against this and other social engineering attacks is user education, this lack of training is truly alarming.

Recent events increase the threat

With so many working remotely since the pandemic began in 2020, employees must be given additional training regarding risks associated with remote connectivity, using personal devices to connect to company resources, allowing family members to use company-owned devices, and maintaining the security of their home networks. Effectively, allowing employees to work remotely has transformed what had been local area networks into wide area networks, with home networks becoming part of organizational infrastructure. This significantly expands the attack surface.

Related: The Financial Industry’s Biggest Threat

Build an effective training program

Effective cybersecurity training programs are ongoing, continuously updated, and periodically evaluated to measure their effectiveness and identify areas needing improvement. They require the active participation of trainees. Merely sending out a newsletter and assuming employees are reading it, understanding the material, and retaining the information isn’t sufficient. They need to be engaged. Requiring them to participate in tabletop exercises and perhaps some classroom or online courses allows them to ask questions. Quizzes ensure that they are paying attention.

Introducing stress into the mix improves retention. An example would be simulated phishing campaigns wherein employees receive suspicious emails and don’t know whether they are real threats or fakes. Offering training employees can benefit from in their personal lives as well as at work gives them more incentive to learn and retain the information.

Monitor Employees’ Endpoints

With a service like Cybriant MDR, you can monitor and protect all endpoints on a 24/7 basis. The service includes lightweight software installed on all the endpoints you want to protect, and our team watches your endpoints for unusual activity. By using AI technology, we can detect and prevent attacks before they can fully execute. When a threat is detected, we can contain and mitigate threats from all diverse modes of attack.

Learn more at cybriant.com/mdr. 

Cybriant announces PREtect®; New Integrated Cyber Risk Management Service

Cybriant announces PREtect®; New Integrated Cyber Risk Management Service

UPDATE: PREtect has been rebranded to CybriantXDR. Read more here: https://cybriant.com/cybriant-xdr/


Five essential cyber risk management services integrated into an affordable, flexible, subscription-based model


Alpharetta, GA – November 15, 2017 – Cybriant, a leader in cybersecurity services, today announced an integrated service offering called PREtect.  PREtect managed security services are designed to optimize the protection of data assets and the detection of malicious events by addressing the most common vulnerabilities in the enterprise.

“As we see in many highly publicized breaches, most result from the poor practice of fundamental processes or poor response to identified vulnerabilities.  Pretect is designed to address these weaknesses,” said Jeff Uhlich, CEO of Cybriant. “The integration of these practices and technologies in the hands of experienced professionals can deliver more responsive functional value to organizations.  Especially those with limited technical or security resources.”

Utilizing leading technologies and seasoned security expertise, Cybriant delivers an affordable solution which addresses the most common yet challenging structural and operational security vulnerabilities. These services harden client computing environments and help reduce the risk of loss due to breach.  PREtect ensures a sound security posture as well as compliance with government regulations and industry best practices for effective information security.

PREtect integrated managed services include:

  • Security Awareness Training
  • Real-time Vulnerability Management
  • Responsive Patch Management
  • Endpoint Detection and Response
  • 24×7 SIEM with Security Monitoring

Cybriant offers these services individually but recognized the enhanced value both in performance and cost efficiency an integrated stack of these services could provide its clients. To learn more about Cybriant PREtect and for pricing information, please go to www.cybriant.com/pretect.


About Cybriant

Cybriant assists companies in making informed business decisions and sustaining effectiveness in the design, implementation, and operation of their cyber risk management programs. We deliver a comprehensive and customizable set of strategic and adaptive cybersecurity services which address the entire security landscape. These services include assessment and planning, testing and hunting, SIEM management and security monitoring, perimeter and endpoint protection, and secure cloud networking. We make enterprise-grade cybersecurity services accessible to the Mid-Market and beyond.