The key findings from the LastPass Annual Report 2022 speak for themselves:
“With 65% of those surveyed claiming to have some type of cybersecurity education, the majority (79%) found their education to be effective, whether formal or informal. But out of those who received cybersecurity education, only 31% stopped reusing passwords. And only 25% started using a password manager.”
Receiving awareness training, regardless of how good it is, is obviously not enough. If the training is not a part of an organizational security culture where we as individual co-workers can do security according to what we just learned, it simply won’t create the security behavior we were aiming for.
In worst case, also shown in the LastPass Report, it can create a false sense of security. Where a sense of knowing what to do is mistaken for what we actually do in practice: “With 73% of respondents rating their current password behaviors as safe, and 89% aware that using the same password or variation is a risk, respondents are switching from one bad habit to another in their quest to make password management as easy as possible” the report says.
And it’s potentially getting worse. When comparing different age groups, Gen Z (born 1997–2010) – now entering the workforce – have the highest self-esteem when it comes to cyber security. While the Boomer generation (born 1946–1964) now leaving the workforce, represent the opposite: less confident about their password management but more cautious – and with the best password hygiene across generations.
The report also refers to only 33 percent of Millenials and Gen Z being stricter and more careful when it comes to work-related password management. With a new connected and hybrid work life the borderland between peoples’ private and work life becomes a new vulnerable area where co-workers mix their private and professional IT-habits and environment. This was also one of the themes in the F-secure Annual Threats Guide 2023 earlier this year.
So how can a culture of cybersecurity help – and what does it mean in practice?
Awareness training is targeted to deliver just that: a raised awareness. But end-users are still on a quest to make password management as easy as possible – and we need to have tools in place to allow that with the same level of security.
As a part of the information security program at Junglemap, we run our own NanoLearning courses. With 3-minute lessons every third week, we’re allowed to both repeat, reflect and have our new learning reinforced all year round – creating and maintaining a higher security awareness.
The chances that any of us would do this on our own are low – according to the LastPass report 65% did not seek out any cybersecurity education on their own.
This is also one of the main reasons why NanoLearning from Junglemap is a distributed way of learning. We target the great majority that lack time or motivation with the same message and content, at the same time.
But at the end of the day, it’s the combination of raised awareness, and the organizational and technical tools that create new and safer behaviors. Last time I checked, I had 71(!) secure passwords within our mandatory password manager. There is simply no way I could have remembered all of these without a password manager.
On the contrary, the risk of me starting to re-use old passwords would increase dramatically.
Even though I'm aware of the risk.