A survey on US consumer attitudes toward online privacy and security holds some potentially good news for enterprise organizations in an era of work-from-home and hybrid work models.
The survey of 2,103 US adults, conducted by Consumer Reports (CR), showed substantial improvement in consumer cybersecurity and privacy practices over the past three years. Many more individuals appear aware of the security and privacy risks associated with their digital footprint, and have modified their behavior significantly to try and protect it better.
Some of the changes — such as a surge in the use of multifactor authentication (MFA) — appear tied to the fact that more and more organizations require it for accessing online accounts and services. That said, a lot of the behavioral changes are likely also being driven by a higher awareness of cyber-risks, several security experts say.
"The harsh reality is that the explosive growth in ransomware attacks and data breaches has raised awareness of cybersecurity to a level we’ve never seen before," says Darren Guccione, CEO and co-founder at Keeper Security. "When people are unable to get fuel at the gas pump or their bank data is leaked on the Dark Web, they immediately understand the tangible impact cyberattacks can have on their personal lives."
The trend has upside for enterprise organizations that are struggling to contain security challenges tied to the use of insecure home networks and devices by their work-from-home and remote employees. It could mean less of an uphill battle for them, says Brian Dunagan, vice president of engineering at Retrospect, a StorCentric company.
It suggests that people are taking communications regarding security directives seriously and are taking the time to read, learn, and ask questions if necessary — which is a notable shift.
"Now is the time for security leaders to make the case for increased security budgets, whether it is added personnel or added security technology solutions," Dunagan says.
Significant Security Improvements for Consumers
When it comes to better consumer adoption of certain security practices, 88% of survey respondents, for instance, said they use what CR describes as strong passwords — eight characters or more, with upper and lowercase letters, numbers, and symbols — to protect access to their Wi-Fi networks. That's up from 74% in the last survey. Similarly, 85%, up from 69%, have implemented measures such as requiring a password, PIN, TouchID, or FaceID to unlock their smartphone.
The survey revealed a greater understanding among US consumers of the potential privacy and security implications of allowing mobile applications the unfettered ability to track their location and movements. Eighty-one percent of consumers now only allow an app to access their location when they are using the application. Eighty percent claimed they did not install applications that they perceived as collecting too much information about them, and 78% block apps from having access to the camera, location, or contacts if they think the app does not require that access.
The numbers in each instance were significantly higher compared with the 2019 survey. For example, just 60% blocked app access to their cameras and contacts three years ago, and 65% ensured a mobile app had access to their location only when the app was in use.
One of the most significant changes was in the use of multifactor authentication: 77% of survey respondents said they now use MFA, up from 50% in 2019. Security experts consider MFA to be a fundamental security best practice for protecting online accounts against takeover and compromise.
"Many products and companies have started to encourage consumers to enable better cyber hygiene," says Amira Dhalla, director of impact partnerships and programs at Consumer Reports. "It's common that when you log in to your bank or email account, they encourage or mandate [that] you have to use multifactor authentication."
Consumers Are More in Control, but Work Needs to Be Done
Dhalla says that CR's survey showed that consumers overall feel more in control of their personal data because of the steps they are taking to control and secure it.
“As more security and privacy tools have become available and marketed to everyday consumers, they feel they have more at their disposal to combat the security of their data," she notes. "[They] are placing more responsibility on themselves to protect themselves.”
At the same time, they are less secure with how companies are handling and storing their data. At least 75% of the respondents in the CR survey expressed concern about the privacy of personal data that companies collected online. "We know consumers are holding themselves more accountable. They just need knowledge and tools to be able to protect themselves more."
Roger Grimes, data-driven defense evangelist at KnowBe4, perceives the improved consumer habits as the result of a trickle-down effect. "What's largely driving the change is businesses are now taking cybersecurity threats more seriously, which trickles down to consumers because they work for those businesses and are impacted as customers," he says. "If your employer is training you to be more cybersecurity aware on the job, those are also skills you can apply at home and teach to your family."
Grimes says while the trends in the CR survey are encouraging, it's also important to view them in the right perspective. He points to the survey's definition of what constitutes a strong password as one example. "Eight-character passwords, even with complexity, are no longer considered secure," he says. "For someone's password to be truly secure it must be 12 characters or longer and fully random or 20 characters or longer if made up out of someone's head."
Similarly, using MFA alone is not sufficient, if it is not also phishing resistant, he says. "Unfortunately, 90% to 95% of MFA is easily phish-able [and] no harder to steal or bypass than a password. Telling people to use any MFA is bad advice."