Study finds 90 percent have no recent cybersecurity training

A new study finds that only 1 in 10 consumers have had any classes or training about protecting their computer and/or their personal information during the last 12 months. Indeed, a shocking 68 percent say they have never had any such training, ever. These and other findings, first revealed by ESET at the Virus Bulletin conference in Dallas, come just in time for National Cyber Security Awareness Month.

Security awareness due to lack of trainingIn our ongoing efforts to better understand the information security challenges that we, as a society, now face, ESET asked a cross-section of computer users several security-related questions.

The most worrying findings? Only 1 in 10 people who regularly use a computer or other digital device to connect to the Internet have received any kind of cyber security training in the last 12 months, and more than two thirds have never had any such training. That 68/32 split you see in the pie chart rang a bell with us because it mirrored a different ESET poll, conducted by Harris earlier this year. The purpose of that poll was to study implications of the bring-your-own-device or BYOD trend. We asked employed U.S. adults if they had received any kind of computer security training from their employer and only 32 percent said they had. Another 64 percent said they had not and 4 percent said they couldn’t recall having such training, which probably means it was not worth remembering. Clearly, with two separate surveys indicating that under a third of Internet users have had security training, we could be doing a much better job of educating employees and consumers about cybersecurity.

More cyber-security training needed, and needed now

While the total number of people in our latest survey who received no training was disappointing, things appear even worse when you take a closer look. Most of those who got training received it more than 12 months ago. Given the rate at which new threats emerge, and new defensive behaviors are needed, finding that only 10% had received any security training in the last 12 months was very disappointing. Here is the full breakdown of responses to the question: “Have you ever had any classes or training about protecting your computer and/or your personal information?”

  • No training ever: 68%
  • Yes, in last 12 months: 10%
  • Yes 1-2 years ago: 5%
  • Yes, 3-5 years ago: 5.5%
  • More than 5 years ago: 11.5%

Frankly, I find these numbers alarming in their implications for cybersecurity, the protection of the data streams that have become the lifeblood of our digital economy and our nation’s critical infrastructure. These findings also cast doubt on the perennial assertion by some experts that security problems mainly arise from the stupidity of users. In light of these survey results it is worth asking whether the stupidity lies more with those who expect to achieve system security without providing any education on the subject to the people who use the systems.

During the evolution of computer security over the last 20 years there has been a persistent hope that security was a problem that could be solved technologically, therefore saving us the trouble of educating computer users about security. Clearly, that has not happened and, ironically, the improvements made in security technology have actually shifted the point of attack to users. Consider two current trends:

1. 64-bit malware: As my colleague  Aleksandr Matrosov pointed out his  analysis of the Rovnix bootkit framework, the task of writing malicious code that can successfully exploit 64-bit systems is getting harder. At the same time, marketing projections tell us that more and more systems will be 64-bit, a growing obstacle for cyber-criminals.

2. Gateways to control applications: Both Apple and Microsoft are looking to restrict the installation of applications by end users in order to control the quality, and legitimacy, of application code. Users will need additional persuading (or social engineering) in order for malware to circumvent these controls.

The implications of these two trends? People who seek to profit from unauthorized access to our data and systems will be forced, increasingly, to try to exploit human vulnerability. Tricking users into compromising their systems (and other systems to which they then connect) will be increasingly important as an attack vector. And that means the case for arming all computer using humans with security training is stronger than ever. Sadly, these survey results suggest there is a ton of work to do before we can hope to achieve that goal.

In the next installment of statistics from our recent survey we will explore consumer knowledge of cybersecurity in the absence of widespread training and look at some of the educational initiatives ESET is working on. In the meantime, please explore all that is going on in October for National Cyber Security Awareness Month. For example, you might want to point friends and family to the cybersecurity training modules that ESET has made available free of charge to Internet users in North America for the month of October.

Author Stephen Cobb, ESET

  • SecureKat

    I'd push that statistic even higher.  Recent polls elsewhere have shown that globally, less than 5% of smartphone and tablet users, the growing BYOD market, have an sort of authentication in use — no pin, password, security software, or other protections.   I believe it is way past time that the human side of information security needs to be addressed more seriously for the average consumer.

  • Andrea Ebbing

    Thank you for posting this. This may be the single most important topic we are facing in this day and age, and as you mention MOST of the general public haven't even a clue. It's as if we have an icideous malignent tumor multiplying just below the skin and instead of taking a simple step toward solving what may be a very managable threat, it leads to massive complications in the future. Not for lack of caring, but for lack of knowing what to watch for. 
    That being said, I must admit that my journey into the depths of Cybersecurity started right here with ESET. While I am extremely well versed in my craft, I represent the millions this message needs to reach. As a hopeful addition to the ESET NA team, I had began the process of immersing myself deep into the ESET brand and how it sets itself apart from it's competitors. What began as market research transformed into a vigilante passion for learning and communicating reality to anyone – OR should I say  – anyone who is interested in protecting their personal identity, business, family, future, privacy, and sanity.
    Based on the hard facts above, it is indeed the general public, the average person – the NON early adopter, NON tech-savvy, Small Business Owner, IT-less C.E.O. in crisis, New Parent, Performing Arts School, Bed & Breakfast Operator, Charter School, Non Profit Organzation etc. that REALLY need this message. I have been following your Envangalism Stephen…and I too have drawn this conclusion.
    What people need to understand in such a large way are the basics. From there, they can make informed decisions based on clear consice messaging that urges protection – the protection that the ESET "Hero" – or Androide – can offer.
    When explaining the product and threats to my peers, I have analyzed the actual purpose and removed the complexity from my message. Andrew Lee said it best when he mentioned that if "someone walks up to you on the street and asks you – give me your bank card or ATM #" in this interview:  need to know that there are threats of the HUMAN kind behind the code, and there is protection of the SECURITY SYSTEM kind – so far advanced that it can predict threats before they even have a chance of occuring  (such as ESET's line of products) that don't require very little effort whatsoever on behalf of the user. I tell people it's like having access to the most advanced and hyper sensitive home security system … on your computer.
    People can also learn a tremendous amount of information on real world threats and solutions through the plethora of free Webcasts your team has been generous in offering – it's a true added value of ESET's brand currency. Expert advice for free, which is a lot less than hiring an IT consultant for your home or business needs: 

    • David Harley

      Thank you for your thoughts, Andrea. During many years in support with a security bias, I found that people can actually stay fairly safe online in the corporate context with the right advice, guidelines and training: for home users it’s much harder. There’s plenty of advice out there, but much of it is more hindrance than help.

  • Krishna G

    I go with Stephen, Andrea and David who supports regarding the topic trainings and protecting their own computers from threats and malwares..
    I work for "K7 Computing", When I go for trainings and product demo's, I interact with corporate users as well channel where I find many of them are not aware how to protect their computers from attacking rouge s/w as well 3rd pary applications that are unwanted..
    Looking at these we have started providing trainings to channel & tech eng.., in this session we elaborate how to protect thier OS or computers from virus attacks and malwares even with out Antivirus Installed on the computer.
    I provide basic tech steps to secure computer with out AV and suggest for Antiviurs product how to make ease of technical steps with simple steps….

    • David Harley

      Hi, Krishna. Nice to hear from one of our friends over in Chennai. :) And I have to agree: while AV still has an important role, we have a responsibility to encourage people to take a step beyond “I don’t have to think about security because I have AV/firewall/HIPS etc”…

  • maria

    Hi, I would like to know this statistics have been taken from which country, and which period of time? I´m doing thesis research about cybercrime in the UAE, and would like to know if you have same survey for the UAE? I´m waiting for your reply. 

    • David Harley

      My understanding is that the survey was undertaken in the US on behalf of ESET N. America. We’re not in a position to supply data on the UAE.

Follow us

Copyright © 2017 ESET, All Rights Reserved.