Seen here, training underway through NIST’s National Initiative for Cybersecurity Careers & Studies. Nearly 70 percent of employees polled in a new survey said they recently received cybersecurity training from their employers, yet 61 percent nevertheless failed when asked to take a basic quiz on the topic.(NIST)

Nearly 70% of employees polled in a new survey said they recently received cybersecurity training from their employers, yet 61% nevertheless failed when asked to take a basic quiz on the topic.

This was one of the leading findings of a research study – conducted by TalentLMS on behalf of Kenna Security – that sought to understand the cybersecurity habits of some 1,200 workers, as well as their knowledge of best practices and ability to recognize security threats.

Here are some the other highlights that underscore why cybercrime has become a trillion-dollar business:

  • Only 17% of those surveyed who work in information services passed the quiz, compared to 57% of health care employees. And yet, 93% of respondents working in information services reported receiving cybersecurity training, compared to 67% of healthcare respondents. 
  • 60% of employees who failed the cybersecurity quiz reported that they feel safe from threats. Incredibly, 74% of respondents who answered every single question incorrectly report feeling safe. 
  • Despite their largely inherent familiarity with technology, employees aged 18-24 collectively performed the worst on the quiz, with only 16% passing. Among age demographic groups, 25-to-34-year-olds tied with those aged 54 and over for the best collective performance, with a pass rate of 43%.

Despite the common frustrations brought out in the survey, companies still need to train, because it’s one of the best first-line defenses against an attack, said Hank Schless, senior manager, security solutions at Lookout.

“Be sure to constantly run security training and include mobile in those sessions,” Schless said. “Consider any text, email, WhatsApp message, or communication that creates a time-sensitive situation a red flag. Users should approach any suspicious messages with extreme caution, or go straight to their IT and security teams to have them examine it first.”

James McQuiggan, security awareness advocate at KnowBe4, said organizations should hold repetitive simulated phishing assessments and additional training throughout the year, in addition to computer-based training.

“Make the training engaging [and] interactive and provide users with an emphasis on protecting their passwords, watching out for phishing links and what it takes to protect the organization as much as the IT and infosec departments,” McQuiggan said.