Home office and IT security: employees make 90 percent of mistakes because they are convinced that they are doing the right thing. Kaspersky training clearly shows that employees time and again overestimate their own knowledge.
The free security training from Kaspersky and Area 9 Lyceum shows that employees overestimate their knowledge of IT security: in two thirds of cases (66 percent) correct answers were given [1], but in nine out of ten cases in if the answer was wrong, the employees are still convinced of their knowledge. The use of virtual machines, software updates and the reasons for using company-related IT resources in the home office were identified as the most difficult learning objectives.
The corona pandemic led many companies to switch to 'remote work' or the move of employees to the home office. Closely linked to this is an increasing number of Internet-based attacks [2], phishing emails related to COVID-19 [3] and increasing shadow IT [4]. In order to support companies worldwide in improving the security skills of their employees, Kaspersky and Area9 Lyceum made available an adaptive online training course specifically for home office workers in early April 2020 [5], which imparts basic cybersecurity knowledge in this regard.
Kaspersky's analysis shows that employees overestimate themselves
However, the analysis of the anonymized learning outcomes shows that employees working from home tend to overestimate their knowledge of IT security. In 90 percent of the cases where learners chose an incorrect answer, they were confident they were right and stated, "I know" or "I think I know." This was revealed by the adaptive learning methodology, in which participants were asked to rate their level of confidence in the answers and in answering the test questions.
Through the analysis, Kaspersky was also able to identify the most difficult learning objectives when it comes to security awareness. The use of virtual machines was identified as the greatest challenge. A full 60 percent of the answers given were wrong and 90 percent of the respondents fell into the category of "unconscious incompetence". The latter means that despite the wrong answer, learners remained confident that they had chosen the right option.
52 percent use their own IT resources incorrectly
In addition, more than half of the answers (52 percent) to questions about the use of the company's own IT resources from the home office (such as mail, messaging, or cloud storage services) were incorrect. In 88 percent of the cases, remote workers incorrectly assumed that they had adequate knowledge on the subject. When answering the question about installing software updates, the error rate was 50 percent. In this case, an overwhelming 92 percent of those who gave incorrect answers believed they had the skills required.
"If employees see no danger in risky actions, such as storing sensitive documents in personal storage, they are unlikely to seek advice from the IT or IT security department," says Denis Barinov, head of Kaspersky Academy, skeptically . “Because of such long-established habits, it is difficult for employees to change their behavior and recognize the cyber risks involved. This “unconscious incompetence” represents one of the most relevant challenges that can be identified and solved with our security awareness training.”
More on this in the awareness training at Kaspersky.de
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/