The good, the bad and the ugly of cybersecurity statistics (2021 edition)

At Bob’s Business, we’re at the very forefront of organisational cybersecurity training and simulated phishing training. Making training entertaining, engaging and effective is what we do.

In order to make training truly effective, however, we need to understand the cybersecurity habits, behaviours and assumptions that underpin behaviours across organisations.

It’s why we created the Human Vulnerability Assessment, our unique organisational benchmarking tool which we deploy to Bob’s Culture clients to help deliver truly tailored training and demonstrate organisational improvement.

Now, we’re ready to reveal some of the statistics we’ve gleaned from over six months of opening HVA deployments - statistics that reveal the good, the bad and the ugly of cybersecurity in 2021.

The Good

97% of recipients believe that everyone in their organisation had a role to play in cybersecurity.

77% did not feel that they could be complacent with regard to cybersecurity due to their organisation’s automated defences.

71% consider it possible for their organisation to fall victim to a cyberattack.

The Bad

24% of recipients answered that they occasionally download files and media without verifying their authenticity. That means that around one in four employees were at risk of accidentally downloading malware, which can have severe consequences for an organisation.

11% of recipients responded that they do with some level of frequency share work passwords with their colleagues. Sharing passwords like this leads to less secure accounts and may result in data breaches.

45% of those questioned did not claim to be at all suspicious of incoming emails.

The Ugly

65% of recipients admitted to reusing passwords on multiple sites. This means that a data breach on one external site may lead to multiple compromised accounts.

16% admit to clicking links in emails from unverified sources. Our tests show otherwise, as while any given phishing simulation typically achieves a ~16% click rate, the overall portion of recipients that click on at least one template throughout a campaign is higher.

Only 46% of recipients claimed always to follow their company’s cybersecurity policies. More troubling still was that 14% claimed not to know the policies at all.

The methodology

The HVA questionnaire was sent to users at 25 organisations. In total 4,937 users completed the test. As questions were added to the HVA or changed over time, the sample for specific questions varies. The results for all organisations were collated. Key demographic statistics were then drawn from questions of interest.