The British don’t care about cybersecurity or ransomware, new report decrees
New research has claimed nearly two-thirds (64%) of UK businesses were infected with ransomware in 2023, while 95% of workers admitted to willingly endangering the integrity of their workplace’s cybersecurity measures despite knowing the risks of attacks.
That's according to cybersecurity firm Proofpoint’s 2024 ‘State of the Phish’ report, which, despite its nonsensical name, does paint a grim picture, especially when it comes to the reasons that 70% of surveyed employees gave as mealy-mouthed justifications for taking risks online such as sharing and reusing passwords and clicking phishing links.
48% of people (very much a cursed percentage in British lore thanks to Brexit) admitted to carelessness for convenience, 40% in order to save time, and 22% due to a perceived sense of urgency.
Making sweeping judgments about the British on the basis of five statistics
Eagle eyed readers of this illustrious publication may note that these are all basically the same excuse, showing up workers in the United Kingdom as being exceptionalist, impatient, even lazy, perhaps, when it comes to dealing with the unavoidable perils of taking a business online.
The people of the United Kingdom, now officially free and sovereign, have had, in recent history, a poor track record of taking responsibility for their actions and accepting the consequences with good grace.
This theme now continues, with businesses having received 30% more financial penalties from regulatory bodies (that definitely would have gone to the National Health service instead, pinky promise), and a 78% increase in reports of ‘reputational damage’ over the course of the last year.
Looking straight at the reader with a stony expression
In its report, Proofpoint noted that it’s now clear that tech literacy, or ignorance, is not the barrier to employees keeping businesses safe online, but the actual employees themselves. Can we fight human nature, or are we nihilistically bound to accept that no-one is ever going to care about anything?
Though not quite as doom and gloom on this as I am, Proofpoint’s Chief Strategy Officer Ryan Kalember acknowledged the challenge of employee apathy. “Individuals play a central role in an organisation’s security posture, with 74% of breaches still centering on the human element,” he claimed.
“While fostering security culture is important, training alone is not a silver bullet. Knowing what to do and doing it are two different things. The challenge is now not just awareness, but behaviour change.”
Driving employees to care about security
Proofpoint notes in its report a disconnect between the attitudes of IT teams and sysadmins versus employees at the coalface. This is nothing new, but 94% of the employees it surveyed did say that they’d pay more mind to their security responsibilities if controls were more intuitive. It then follows, mind you, that 6% of its survey respondents are agents of the devil.
What the people want has always been at odds with what they should have. Democracy, for instance, as we’ve all seen, was a mistake. Having to think about security for a bit is probably why, when security is in place, it works, and can’t be circumvented by a ransomware gang or a piece of malware in circulation.
As Kalember notes, “Cybercriminals know that humans can be easily exploited, either through negligence, compromised identity or—in some instances—malicious intent.”
I’m not sure, given this pitch black assessment of humanity, that reducing a business’ cybersecurity to great big green and red buttons will solve anything if employees can still be socially engineered or bribed by cybercriminals to get what they want. Or if they can walk straight into the castle and change the flag on the pole because no-one could be bothered pulling the drawbridge up.
Do we have advice for employees in this situation? Yeah: don’t let your identity get stolen for ‘convenience’, which has to be one of the most ridiculous (and therefore British) things I’ve read so far this year.
