A survey of U.S. consumer attitudes toward online privacy and security has some potentially good news for enterprise organizations in the age of telecommuting and hybrid work models.
A Consumer Reports (CR) survey of 2,103 American adults found significant improvements in consumer cybersecurity and privacy over the past three years. Many more people seem to be aware of the security and privacy risks associated with their digital footprint and have made significant changes in their behavior to try to better protect it.
Some of the changes, such as the surge in the use of multi-factor authentication (MFA), appear to be due to more and more organizations requiring it to access online accounts and services. Still, much of the change in behavior is likely also driven by greater awareness of cyber risks, several security experts say.
“The harsh reality is that the explosion of ransomware attacks and data breaches has raised cybersecurity awareness to a level we’ve never seen before,” said Darren Guccione, CEO and co-founder of Keeper Security. “When people can’t get gas at a gas station or their banking information is leaked into the dark web, they immediately realize the tangible impact cyberattacks can have on their personal lives.”
This trend bodes well for corporate organizations grappling with security concerns related to the use of unsecured home networks and devices by their home and remote employees. That could mean less of an uphill battle for them, says Brian Dunagan, vice president of development at Retrospect, a StorCentric company.
This shows that people are taking the communication about safety directives seriously and taking the time to read, learn and ask questions when necessary – which is a noticeable change.
“Now is the time for security leaders to make the case for increased security budgets, whether it’s additional personnel or additional technology solutions,” says Dunagan.
Significant security improvements for consumers
When it comes to better consumer acceptance of certain security practices, for example, 88 percent of survey respondents said they use what CR describes as strong passwords — eight characters or more, with upper and lower case letters, numbers and symbols — to protect access to their Wi-Fi networks. This is up from 74% in the last survey. Likewise, 85%, compared to 69%, have implemented measures such as requiring a password, PIN, TouchID or FaceID to unlock their smartphone.
The survey found that US consumers are more aware of the potential privacy and security implications of giving mobile apps the unlimited ability to track their location and movements. Eighty-one percent of consumers now allow an app to access their location only when they’re using an app. Eighty percent said they didn’t install apps they thought collected too much information about them, and 78% blocked apps from accessing their camera, location or contacts if they didn’t think the apps needed that access.
The numbers in each case were significantly higher than the 2019 survey. For example, only 60% blocked an app from accessing their cameras and contacts three years ago, and 65% made sure that a mobile app only had access to their location when the app was in use.
One of the most significant changes was in the use of multi-factor authentication, with 77% of respondents saying they now use MFA, up from 50% in 2019. Security experts consider MFA a fundamental security best practice for protecting online accounts from hijacking and compromise.
“Many products and companies have begun encouraging consumers to practice better cyber hygiene,” says Amira Dalla, director of partnerships and advocacy programs at Consumer Reports. “Usually, when you log into your bank or email account, they encourage or command [that] you must use multi-factor authentication.”
Consumers are more in control, but there is work to be done
Dalla says CR’s survey found that consumers generally feel more in control of their personal data because of the steps they take to monitor and protect it.
“As more security and privacy tools have become available and marketed to ordinary consumers, they feel they have more at their disposal to combat the security of their data,” she notes.[They] take more responsibility to protect themselves.”
At the same time, they are less protected by how companies process and store their data. At least 75% of CR survey respondents expressed concern about the privacy of personal data companies collect online. “We know that consumers consider themselves more responsible. They just need the knowledge and tools to better protect themselves.”
Roger Grimes, data-driven defense evangelist at KnowBe4, sees the improvement in consumer habits as a result of the trickle-down effect. “The main reason for the change is that companies are now taking cyber security threats that trickle down to consumers more seriously because they work for those businesses and are affected as customers,” he says. “If your employer is teaching you to be more aware of cybersecurity at work, those are also skills you can apply at home and teach your family.”
Grimes says that while the trends in CR research are encouraging, it’s also important to put them in perspective. As one example, he points to the survey’s definition of what a strong password is. “Eight-character passwords, even complex ones, are no longer considered secure,” he says. “For someone’s password to be truly secure, it needs to be 12 characters or longer and completely random, or 20 characters or longer if it’s made up in someone’s head.”
Similarly, using MFA alone isn’t enough unless it’s also phishing-resistant, he says. “Unfortunately, 90% to 95% of MFA is easily phished [and] no more difficult to steal or circumvent than a password. It’s bad advice to tell people to use any MFA.”