sb-nz logo
Story image

Remote staff overestimating knowledge of cybersecurity basics

Employees are confidently making 90% of all security awareness mistakes, according to Kasperky. 

Free security awareness training on remote working from Kaspersky and Area9 Lyceum has seen participants enact correct responses 66% of the time.

However, even when learners were wrong, they mostly remained confident in their competences. The most difficult learning objectives proved to be virtual machines, updates, and reasons why people should use corporate IT resources even while working outside the office.

The coronavirus pandemic saw many companies switched to remote working. This change affected corporate security via a growing number of web-based attacks, coronavirus-related phishing, as well as the increased use of shadow IT, Kaspersky says.

To help businesses improve their staff cybersecurity skills, in the beginning of April 2020 Kaspersky and Area9 Lyceum released an adaptive learning course for those transitioning to at-home working, covering the basics of secure remote operations.

Analysis of anonymised learning results revealed that remote staff tend to overestimate the level of their knowledge of cybersecurity basics. In 90% of cases when learners selected a wrong answer, they evaluated their feelings toward the given response as “I know it” or “I think I know it”. This was revealed through an adaptive learning methodology, which asked learners to assess their levels of confidence in responses, as well as answer the test questions.

The study also identified the most difficult learning objectives – the hardest being reasons why to use virtual machines. As many as 60% of the given answers were wrong on this matter, with 90% of respondents falling into the ‘unconscious incompetence’ category. This means that mistaken learners were still sure that they had selected the right answer or option.

More than half of responses (52%) to questions about reasons why employees should use corporate IT resources (such as mail and messaging services or cloud storage) when working from home was incorrect. In 88% of cases, remote employees thought that they could explain this correctly. 

Almost the same proportion of mistakes (50%) was made when answering a question about how to install software updates. In this case, a staggering majority of 92% of those who had provided wrong answers, believed they had that required skill.

“If employees see no danger in risky actions, let’s say, in storing sensitive documents in personal storage, they are unlikely to seek advice from IT or IT Security departments," says Denis Barinov, head of the Kaspersky Academy.

"From this perspective, it’s hard to change such behaviour, because a person has an established habit and may not recognise the associated risks," he says.

"As a result, ‘unconscious incompetence’ is one of the most difficult issues to identify and solve with security awareness training."

Story image
Video: 10 Minute IT Jams - Who is Bitglass?
Today, Techday speaks to Bitglass senior director of marketing Jonathan Andresen, who discusses insider attacks and the best solutions and practices to employ to protect organisations and employees.More
Story image
CrowdStrike integrates with ServiceNow program to bolster incident response
As part of the move, users can now integrate device data from the CrowdStrike Falcon platform into their incident response process, allowing for the improvement of both the security and IT operation outcomes.More
Story image
Video: 10 Minute IT Jams - Who is CrowdStrike?
Today, Techday speaks to CrowdStrike ANZ channel director Luke Francis about the company's key products and offerings, its upcoming annual security conference, and the infrastructure it leverages in the A/NZ region.More
Story image
Just one click – that’s all it takes to let in cyber-crime
So how do organisations ensure that users are not compromised by simply doing their work?  The answer is surprisingly simple, writes Bufferzone Security business strategist for A/NZ Greg Wyman.More
Story image
Why it’s essential to re-write IT security for the cloud era
Key components of network security architecture for the cloud era should be built from the ground up, as opposed to being bolted on to legacy solutions built for organisations functioning only on-premises or from only managed devices.More
Story image
Metallic adds data management and GDPR compliance
Now GDPR compliant, additions to the portfolio include eDiscovery features and support for Microsoft Hyper-V and Azure Blob and File storage.More