Data breaches have been a headache for many years and for a long time there seemed to be a general apathy about them. Our sense was that things may have changed in the wake of the most severe breach ever – the theft of 145 million social security numbers and other sensitive data from Equifax – which leaves most Americans with the burden of having to monitor for identity theft for the rest of their lives.
Against this backdrop, we decided to find out how aware Americans are of cybersecurity threats and risks, how concerned they are about getting their information stolen, and what they might be doing, or more importantly, not doing about it. We also wanted to learn if recent breaches have caused Americans to change their behavior at all. Tenable recently commissioned a survey, conducted online by Harris Poll of more than 2,000 U.S. adults, to determine how data breaches – and media attention around them – are impacting consumers’ perceptions about their online security and their behavior.
Going into this project, our hypothesis was that because of all the recent breaches, Americans are more aware of security breaches than they were in the past, but that they likely continue to use poor security practices. The results are worse than we anticipated. According to the survey, more than 9 in 10 Americans (94%) have heard news stories about security breaches in the past 12 months, but among them, more than 2 in 5 (43%) have not changed their online habits as a result of these stories. This suggests many Americans may not understand that they have a role in accountability when it comes to taking specific actions to safeguard their personal data.
Cyber illiteracy is rampant
While many Americans are aware of breaches in the news, it appears that about 1 in 5 (21%) aren’t sure if they have been impacted by security breaches in the past 12 months. Only 12 percent of Americans say their personal information has been stolen by hackers due to a security breach in the past 12 months. But given that the Equifax breach exposed sensitive data of as many as 143 million Americans, that number is statistically impossible. Given the Yahoo! breach and countless others, this data suggests an alarming lack of understanding about the pervasiveness of recent breaches and the risks they pose to average Americans. It’s cyber illiteracy.
While most Americans (94%) have heard of news stories about security breaches in the last year and a majority say they are worried about risks associated with activities as basic as use of public Wi-Fi hotspots and online shopping, many still have not taken some critical steps to protect their data. For example, only 25 percent of Americans have implemented two-factor authentication on their devices to protect their personal information in the past 12 months, even though security experts and major online services and technology companies like Facebook and Google strongly encourage it. Although more than 2 in 3 Americans (68%) say they have avoided opening links/attachments from unsolicited emails or texts in the past 12 months, we suggest more Americans do this as this has been an industry best practice for security since the early 2000s. In addition, only about 3 in 10 Americans who have heard of any news stories on security breaches in the past 12 months (32%) have reduced their use of public Wi-Fi or unknown hotspots as a result, which could mean many still frequently do this – a major no-no.
Many Americans do not seem very confident about the security of their data, as nearly 2 in 5 (37%) said they think it’s likely their personal information will be stolen as a result of a security breach in the next six months. Additionally, it appears many Americans are worried about their personal information getting stolen as a result of some of the most common online activities. While 63 percent are worried about their data getting stolen when connecting to public or unknown Wi-Fi hotspots, nearly 3 in 5 (58%) are worried about their personal information being stolen when online shopping, half (50%) are worried when banking online, and 35 percent are concerned when connecting with their friends/family through social media.
Roughly one in two Americans lacks basic cyber hygiene
The survey demonstrates that nearly all consumers are aware of security breaches, but many do not take some basic precautions to protect their data. In the past 12 months, only 56 percent of Americans have used a password to lock their computer and only 45 percent use a PIN to lock their mobile devices. Roughly half of Americans (53%) say they have made their account passwords more complicated in the past 12 months, and 15 percent have used a password management tool. Another emerging authentication technology – biometrics – is still not widespread, with only 19 percent of Americans reporting that they have implemented it on their devices in the past 12 months. This is a surprising result given the fact that Apple has offered the user’s thumbprint as a security measure since 2013.
Even when the minimal is offered, Americans may not be capitalizing on some of the easiest ways to stay on top of their personal cybersecurity. Using credit monitoring services, which Equifax and other breach victims offer for free for a year, is one of the many ways to monitor for identity fraud. So we were surprised to find that so few Americans have signed up for such a service. Only roughly one-quarter of Americans (26%) have used a credit monitoring service to protect their personal information in the past 12 months, and only 12 percent have used an identity monitoring service.
Another basic tactic is to update, update, update and FAST! Apps that are downloaded onto devices can offer a popular inroad for hackers to compromise devices and steal data if the apps have security vulnerabilities, which is fairly common. Hackers who uncover the security weaknesses can exploit them only as long as they haven’t been patched. So, minimizing that window of opportunity is key to staying safe. While some Americans seem to be trying to stay on top of their software updates, many still aren’t updating their apps in a timely manner when the updates are available. Fourteen percent of smartphone users wait more than a week to update apps on their smartphone (or never do it) after receiving a prompt. Meanwhile, 13 percent of computer users wait more than a week to update the apps on their computer – including 3 percent who wait longer than a month after receiving a prompt to do so and 5 percent who don’t update apps on their computer at all.
Consumer security checklist
- Where applicable, enable two-factor authentication for all online services.
- Update your apps and computers within 24 hours of receiving a notification.
- Assign strong passwords to your computer, mobile phone and tablet – and don’t share them with others.
What does this mean for enterprises?
Organizations are scrambling to shore up their defenses in light of all the breaches, as they should be. But they also need to lead the way in basic security practices that keep their customer and critical business data safe. It seems there is a need for a “top down” approach where organizations provide comprehensive cybersecurity, but also team up with customers and employees to educate them about what they can do extend their best practices across their own personal attack surface. This starts with companies being more transparent about their own security practices and holding themselves accountable for lapses. If they don’t make security a top business priority and they aren’t sensitive to these changing consumer patterns and needs, they risk losing customers. Today, being customer-focused isn’t just about making good products; it’s about listening to customers and making sure the products and services they are using don’t cause them harm.
The irony is that cyber poses an existential threat to our economy and our very social fabric – safeguarding ourselves is therefore a shared responsibility. Enterprises must lead the way by practicing fundamental hygiene and enforcing a basic standard of care for their customers’ data. But individuals must do their part, too – both as consumers and, in many cases, as employees of those same enterprises – and that starts with cyber literacy.
This survey was conducted online within the United States by Harris Poll on behalf of Tenable from November 28-30, 2017 among 2,196 U.S. adults ages 18 and older. This online survey is not based on a probability sample and therefore no estimate of theoretical sampling error can be calculated. For complete survey methodology, including weighting variables and subgroup sample sizes, please contact Sarah Spitz of Bateman Group at 347-382-9731.