Have you ever gotten the feeling that, sometimes, the people who are the least capable at something have the most confidence in their knowledge or abilities? There’s actually a name for that. It’s called the Dunning-Kruger effect.
The Dunning-Kruger Effect is a cognitive bias in which people who are less skilled at a given task tend to be overconfident in their ability, i.e. we tend to overestimate our capabilities in areas where we are actually less capable. Basically, for many, the less you actually know, the more you think you know.
Keep in mind: confidence, itself, is a good thing. And in cases where you know your stuff, you should absolutely use and share your knowledge to help enhance the lives and experiences of the people around you. But there’s a major difference between being fairly confident and having false confidence, as we saw in a recent global survey conducted by our partner OpenText company, Webroot. Featured in the report COVID-19 Clicks: How Phishing Capitalized on a Global Crisis, the survey data shows that, all over the world, people are overconfident about their ability to keep themselves and their data safe online.
Why is overconfidence so dangerous?
All it takes to breach a business is one wrong click by an unwitting employee. And keep in mind that the employee in question could be anyone in the company, including executive or leadership staff. Cybercriminals may target anyone and everyone and, by the law of averages, someone is bound to take the bait sooner or later.
“A company is vulnerable to attacks because each employee is vulnerable.”
– Briana Butler, engineering services manager, Carbonite + Webroot, OpenText Companies
Let’s look at some of the statistics from the survey.
- 8 in 10 people say they take steps to determine if an email message is malicious.
- Yet 3 in 4 open emails and click links from unknown senders. (a security best practice no-no)
- About 3 in 5 people think they know enough to stay safe online
- But 3 in 10 are certain they’ve fallen victim to a phishing attack in the last year.
And here’s the real clincher for businesses looking to improve their overall cybersecurity posture:
- Only 1 in 7 workers think a cyber resilience is a responsibility all employees share.
Clearly, many people believe they know what to do and/or are doing everything right. Unfortunately, they’re still getting phished. We asked Dr. Prashanth Rajivan, assistant professor at the University of Washington and expert in human behavior and technology, for his take on the matter.
“There are huge differences between knowing what to do and actually operationalizing that knowledge in appropriate scenarios. I suspect many people don’t really take the actions they reported, at least not on a regular basis, when they receive suspicious emails.”
– Prashanth Rajivan, Ph.D.
Additionally, many of the businesses that the surveyed employees work for don’t appear to be taking their cyber resilience as seriously as they should. Only 21% of businesses worldwide have increased their amount of cybersecurity training for employees during the COVID-19 pandemic. Additionally, only about half (54%) of global respondents said their employers back up their Microsoft® 365 suite, leaving a huge gap in data recovery plans.
How can businesses improve cyber resilience?
The short answer: through a strong combination of employee training and tools.
The long answer: when asked what would help them feel better prepared to avoid phishing and prevent cyberattacks, workers worldwide agreed that their employers need to invest more heavily in training and education, in addition to strong cybersecurity tools. Dr. Rajivan also agrees, stating that, if employers want to build cybersecurity awareness into their business culture, then they need to invest heavily in their people.
“By creating a feeling of personal investment in the individuals who make up a company, you encourage the employees to return that feeling of investment toward their workplace. That’s a huge part of ensuring that cybersecurity is part of the culture. Additionally, if we want to enable employees to assess risk properly, we need to cut down on uncertainty and blurring of context lines. That means both educating employees and ensuring we take steps to minimize the ways in which work and personal life get intertwined.”
– Prashanth Rajivan, Ph.D.
Ultimately, the importance of training can’t be emphasized enough. According to real-world data from customers using Webroot® Security Awareness Training, which provides both training courses and easy-to-run, customizable phishing simulations, consistent training can reduce click rates on phishing scams by up to 86.5%.
Additionally, part of true cyber resilience is accepting that a security breach isn’t a matter of if, it’s a matter of when. Today’s threats are evolving at a pace that makes an attack pretty much inevitable. Having less-than-comprehensive backups is a risky move for any business, no matter how incredible their security lineup may be.
If you want to increase cyber resilience, you have to minimize dangerous false confidence and build out a tested, reliable infrastructure to keep users and data secure.
- Tip #1: Empower your workforce with the training they need to confidently (and correctly) make strong, secure decisions about what they do and don’t click online.
- Tip #2: Use strong cybersecurity tools and backup and disaster recovery solutions.
- Tip #3: Don’t forget to back up collaboration tools like the Microsoft® 365 suite. Microsoft actually recommends companies use a third party backup provider. Simply search on "backup Your Content" in this link.
To learn more about peoples’ online clicking habits and what individuals and businesses can do to stay safe, read the full report: COVID-19 Clicks: How Phishing Capitalized on a Global Crisis
