Bloffin Technologies > News > Blog > End-User Security Ignorance Laid Bare In New Report

End-User Security Ignorance Laid Bare In New Report

End-user security ignorance laid bare in new report

End-User Security Ignorance Laid Bare In New Report

Less than a quarter of people aged between 23 and 38 (so-called millennials) can correctly define the term “ransomware”, more than one-fifth of them don’t know how to change their Wi-Fi security settings, one-third “don’t feel the need” to ever use a VPN, 30%  think “malware” is something used to extend the range of a Wi-Fi router, and 50% of people who take a work device home have let their friends and family use it.


These were just some of the more intriguing findings which highlighted the scale of ignorance among end-users when it comes to cyber security, the scale of the challenge facing security professionals, and the scale of the security industry’s failure to educate.

In a world where 90% of global organisations surveyed said they had been targeted by business email compromise (BEC) and spear phishing attacks, assembled data from nearly 50 million simulated phishing attacks, third-party survey responses by security professionals, and 3,500 working adults.

Cyber Security Hygiene

It found that the majority of people in general failed to observe the basic principles of cyber security hygiene. For example, 45% admitted to password reuse, more than 50% did not password protect their home networks, 32% were unfamiliar with VPNs, and 90% used their work PCs and smartphones for personal activities.

Recognition of common terms, such as malware, phishing and ransomware, was also found to be lacking. Only 61% could correctly define phishing, and only 31% malware, exposing both a knowledge gap and a language barrier for security educators. Recognition also varied  between age groups. Millennials tended to underperform in security awareness, reflecting other recent studies on the same topic, although it is not clear why this should be.

Security Awareness Training

“Effective security awareness training must focus on the issues and behaviours that matter most to an organisation’s mission.

“We recommend taking a people-centric approach to cyber security by blending organisation-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognise and report attacks.”

Where appropriate security awareness training was undertaken, the effects were noticeable, with 78% of surveyed organisations saying they had seen “measurable reductions” in phishing susceptibility as a result.

End-User Security Ignorance Laid Bare In New Report

Email Reporting

Growth in end-user email reporting, which is a key metric when it comes to understanding and gauging positive behaviours, was another positive trend picked out by the report. More than nine million suspicious emails were reported in 2019.

This was a good sign because it suggested end-users were becoming more vigilant and better able to identify threats – a useful skill given the noted trend towards more targeted and personalised forms of attack.


Altogether, 5% of the organisations surveyed said they had dealt with one successful phishing attack last year, and security pros reported high volumes of social engineering attempts. A total of 88% said they had seen spear-phishing attempts, 86% reported BEC attacks, 84% SMS/text phishing or smishing, 83% voice phishing or vishing, and 81% malicious USB drops.

Corrective Action

A clear majority of organisations also reported that they were now taking corrective action against users who make repeated mistakes related to phishing attacks, with many respondents saying employee awareness improved vastly if people were made to bear the consequences.


The report also showed that 65% of surveyed professionals reported that their organisation had experienced a ransomware infection. Of these, 33% opted to pay up against all advice, while 32% held firm. Of those that negotiated, 9% found they were extorted for further payments, and 22% never got access to their data.