What a difference a few years make
When I published my first cybersecurity-focused Weekend Poll back in 2017, less than half the assistants who responded had received cybersecurity training in the workplace. Now, after asking readers five consecutive years about cybersecurity awareness, that percentage has climbed to 87%.
This is important, as cybercrime continues to escalate and financial and other impacts can be significant. This is true in both the workplace and in our personal lives.
Why we need to stay on our toes
This year, 71% of respondents said they’re confident they know enough about cybersecurity. At the same time, when I asked readers just how well informed they are on the topic, only 29% said they have a high knowledge level; the majority rated their knowledge levels between a one (“limited or no knowledge”) and a three (“high knowledge level”).
I’d suggest it makes sense to be conservative in rating our knowledge levels, if only because hackers and threat actors, as cybercriminals are known, continue to adapt and change their tactics. Astute employers will provide ongoing cybersecurity training, often in the form of modules that reflect current threats and cybercrime strategies. Astute assistants will take advantage of every opportunity to learn more about how to recognise and mitigate risks.
Passwords and passphrases
I’ve written on my website and for Executive Support Magazine about high profile 2021 cyber breaches, notably those at Colonial Pipeline Co. and JBS S.A. The latter is a Brazilian company that happens to be the planet’s largest meat producer. A spring 2021 ransomware attack on JBS forced the decision to halt, reduce or idle operations in three countries.
Assistants’ cyber awareness can impact their employers’ cybersecurity ratings
In the case of the Colonial cyber breach, it came down to internal reliance on use of a single password, rather than what’s known as two-factor authentication (2FA). It was gratifying, when I asked readers in July 2021 about their use of two-factor authentication, to see that 97% of respondents use it where available.
What about your password practices? In 2021, 20% of respondents said they generally use passwords. The majority, 74%, use both passwords and passphrases. Passphrases may be more challenging to hack.
What about all those accounts that require a password – or passphrase – to secure access? More than one in three 2021 respondents, 35%, use the same password or passphrase for more than one work login or account. I used to be in this camp, yet the more aware we become, the more likely we are to change practices.
While 20% of respondents to my 2021 cybersecurity Weekend Poll reporting using only one, two or three passwords or passphrases in their career, 35% use five or more on the job. Another 39% make a point of using distinct passwords or passphrases for every work-related account or login. Hats off to these individuals, as they’re likely having positive impacts on their respective employers’ cybersecurity ratings.
Cybersecurity and third party/vendor risk management
Yes, you read that correctly when I mentioned employers’ cybersecurity ratings. Just as cybersecurity holds countless career opportunities, another industry has emerged. Think of credit bureaus, and how such entities exist to assess and provide credit ratings. These days, there are companies in the business of providing cybersecurity-related security rating services; these are known as SRS. While some chief information security officers (CISOs) may be less than satisfied with the scorecard approach to such ratings, Gartner has projected that, by 2022, “cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships”.
A summer 2021 supply chain ransomware attack
In July 2021, we learned of REvil’s $70M ransomware demand on Kaseya Ltd. Kaseya provides software to managed service providers (MSPs), which in turn provide IT services to small- and medium-sized enterprises (SMEs). Kaseya announced the breach, and its CEO reported that fewer than 0.1% of the company’s clients were impacted. It’s estimated that between 800 and 1,500 SMEs may have experienced their own ransomware compromises as a result of their MSPs being impacted.
Back to those rating services
What do cybersecurity ratings have to do with assistants? Well, “user behaviour” is among the categories included on those scorecards. That refers to your cyber practices, and those of your colleagues.
With that in mind, it’s worth noting that 55% of respondents to my 2021 Weekend Poll on cybersecurity said they believe their passwords or passphrases would be difficult to crack. It’s a given that your IT team has likely established requirements that force you to update your email and other accounts’ passwords on a routine basis. Think, now, of other business-related accounts through which you provide information. When I asked readers this year if you routinely update your passwords or passphrases without prompting – and this includes personal as well as business accounts – only 20% said yes.
Assistants use multiple passwords or passphrases
In 2021, 29% of respondents said they use anywhere from three to 10 different passwords or passphrases between personal and career accounts. Almost a quarter, 23%, use anywhere from 16 to 24 distinct passwords or passphrases. Another nine percent use between two and three dozen, and 29% reported using more than three dozen distinct passwords or passphrases.
That’s a lot of information to remember, and assistants have different ways of remembering which passwords or passphrases are associated with which account logins. In 2021, three percent of respondents said they use password management apps in their careers – and the same percentage use password management apps solely for personal use. Another 13% use such apps for both their careers and personal lives. The vast majority, 81%, don’t make use of these apps.
Your password, passphrase lists
In 2021, 36% of respondents said they keep track of all their passwords or passphrases with a hard copy list they keep secured. Another three percent rely on similar hard copy lists that are not kept under lock and key.
Twenty-four percent of respondents in 2021 said they maintain digital/electronic lists of passwords or passphrases used in their career, and that they store such information in a password-protected manner on business hardware. Another 14% store such information in a password-protected manner on their personal hardware. Three percent store such information on their personal hardware without password protecting their lists.
45% are aware of cyber breaches in their workplaces
In summer 2021,45% of respondents said they’re aware of cyber breaches having occurred at either their current or prior place of employment. Thirteen percent of respondents reported being aware of cyber breaches having occurred with their personal hardware.
What about email and social media accounts? Thirty-five percent of respondents in 2021 said they’re aware of at least one of their email accounts having been hacked/breached, and the same percentage – 35% – reported awareness that at least one of their social media accounts has been hacked/breached.
When I asked assistants if they know anyone else whose social media or email accounts have been hacked, a whopping 94% said yes.
These percentages didn’t surprise me, nor will they surprise those of you who’ve attended one of my presentations on cybersecurity for assistants. It’s an oft-repeated phrase that, when it comes to cybersecurity, there are three types of organisation: those that have been hacked, those that will be hacked, and those that have been hacked yet don’t yet know it.
We can take steps to mitigate risks
When I asked readers if you’ve increased your attention and care to cybersecurity given the increase in remote work environments as a result of the COVID-19 pandemic, 74% said yes. Another 13% said they’d not thought of this, but will now do so.
Being cyber aware is the first step. If you’ve attended any of my cybersecurity presentations, or read my articles on apps and the need for all of us to become increasingly aware of both business and personal cyber risks, you’ll know there are steps each of us can take to mitigate those risks.
Read on to see how your cyber practices compare to those of your peers, and here’s to continuing to mitigate risks at home and in your career.
The data: readers’ responses to this Weekend Poll
1. Are you confident that you know enough about cybersecurity?
- 71%: yes
- 29%: no
2. On a scale of 1 (limited or no knowledge) to 3 (highly aware), how well informed are you about cybersecurity?
- 6%: 1 – limited or no knowledge
- 65%: 2
- 29%: 3 – high knowledge level
3. Have you received cybersecurity education/training at your workplace?
- 84%: yes
- 16%: no
4. Given remote and hybrid work practices arising from the COVID-19 pandemic, has your employer provided cybersecurity training specific to such work practices, or otherwise increased communications and cautions to help you mitigate the risk of cyber breaches/hacks given increases to remote/hybrid work practices?
- 19%: Yes; there have been pandemic-specific training sessions or modules
- 52%: Yes; we’ve received reminders about best practices or how to mitigate risks
- 10%: No, but that’s because we already had a good training/awareness program in place
- 19%: no
5. If you have received cybersecurity education/training at your workplace, when was the last such communication or session?
- 15%: Modules or resources are online, and it’s up to us to access them
- 37%: Within the last month
- 15%: Within the last quarter
- 18%: Within the last half year
- 4%: Within the year
- 11%: More than a year ago
6. Have you attended any external presentations/training sessions on cybersecurity?
- 35%: Yes
- 65%: No
7. Have you undertaken any independent reading/professional development related to cybersecurity?
- 48%: Yes
- 13%: My cybersecurity PD is limited to what Shelagh’s presented or written on the topic
- 39%: No
8. On a scale of 1 (not concerned) to 3 (very concerned), how much of an issue do consider cybersecurity to be in the workplace?
- 0%: 1 (not concerned)
- 26%: 2
- 74%: 3 ( very concerned)
9. On a scale of 1 (not concerned) to 3 (very concerned), how much of an issue do consider cybersecurity to be in your personal life?
- 3%: 1 (not concerned)
- 29%: 2
- 68%: 3 ( very concerned)
10. Do you generally use passwords or passphrases?
- 20%: passwords
- 6%: passphrases
- 74%: I use both passwords and passphrases
11. Do you use the same password or passphrase for more than one work login or account?
- 35%: Yes
- 65%: No
12. How many different passwords or passphrases do you use for your career/work?
- 3%: 1
- 10%: 2
- 7%: 3
- 6%: 4
- 35%: >5
- 39%: I use distinct passwords or passphrases for every account or log-in
13. Do you typically change/update your passwords or passphrases without prompting?
- 20%: Yes
- 37%: No
- 43%: Only occasionally
14. On a scale of 1 (embarrassingly obvious) to 3 (challenging), how difficult would it be to crack your passwords or passphrases?
- 3%: 1 – embarrassingly obvious
- 42%: 2
- 55%: 3 – challenging
15. Between career and personal use, how many different passwords or passphrases do you estimate you use in total?
- 0%: 1
- 0%: 2
- 6%: 3 – 5
- 23%: 6 – 10
- 10%: 11 – 15
- 23%: 16 – 24
- 9%: > two dozen
- 29%: > three dozen
16. Do you use a password or passphrase management app?
- 3%: Yes – in my career
- 3%: Yes – for personal use
- 13%: Yes – for both career and personal use
- 81%: No
17. If you use a password or pass phrase management app, please ID your preferred app. Note: You’ll find the apps assistants mentioned below, in alphabetical order.
- Apple
- Bitwarden
- LastPass
- Roboform
- SafeInCloud
18. Do you keep a HARD COPY list of passwords or passphrases you use in your career?
- 36%: Yes, I have a copy list and keep it secured
- 3%: Yes, I have a hard copy list but it’s not under lock and key
- 61%: No
19. Do you keep a DIGITAL/ELECTRONIC list of passwords or passphrases you use in your career?
- 24%: Yes; I store it on my business hardware and it’s password protected
- 0%: Yes; I store it on my business hardware but it’s NOT password protected
- 14%: Yes; I store it on my personal hardware and it’s password protected
- 3%: Yes; I store it on my personal hardware but it’s NOT password protected
- 59%: no
20. When downloading apps or software, do you typically read the privacy policies and the terms and conditions?
- 17%: Yes
- 28%: No
- 24%: I do so with apps, but not for other software installations
- 28%: I do so for most software installations, but not for apps
- 3%: I haven’t done so, yet perhaps it’s time to start doing so
21. Do you use two-factor authentication (2FA) where available?
- 97%: Yes
- 0%: No
- 3%: I’m not familiar with this
22. Are you aware of any cybersecurity breaches having occurred at your current or prior place of employment?
- 45%: Yes
- 55%: No
23. Are you aware of any cybersecurity breaches having occurred with your personal hardware?
- 13%: Yes
- 87%: No
24. Are you aware of any of your social media accounts ever being hacked/breached?
- 35%: Yes
- 65%: No
25. Are you aware of any of your email accounts being hacked/breached?
- 37%: Yes
- 63%: No
26. Do you know anyone whose social media or email accounts have been hacked/breached?
- 94%: Yes
- 6%: No
27. Have you increased your attention and care to cybersecurity given the increase in remote work environments as a result of the COVID-19 pandemic?
- 74%: Yes
- 13%: No
- 13%: I hadn’t thought about this, but I will now