The question of ordinary users’ awareness of cyber threats and the scope of their knowledge about them may seem philosophical or rhetorical, but only at first glance. The results of studies and surveys show that ordinary people’s awareness of threats unrelated to strictly “conditional” viruses or Trojans is very low. Meanwhile, the understanding of problems that network users may encounter now directly affects the well being of his/her employer. That is without mentioning the comfort of a user whose computer would have been crippled, or a bank account compromised by attackers via a user’s mobile device.
Here are the most common examples. If an employee who has just joined the company does not know the basics such as not running email attachments without checking if they are forbidden. Such behavior may threaten the entire company. In most cases, there are various foolproof solutions enabled in corporate networks, but it does not mean incorrect user actions can be absolutely dismissed, and that there is no more need to teach employees the basics of IT security.
According to the survey of user attitudes to IT security, which Kaspersky Lab and B2B International conducted in August 2013, the awareness of end users on topical IT threats leaves much to be desired.
Most users have a common understanding of threats, i.e. know that they exist at all. About 50% of the respondents in our study indicated that regardless of the operating system a mobile device or a computer can be considered safe only with the installed means of protection against information threats.
Nevertheless, too few are willing to take any additional security measures. For example, as much as 17% of users do not take any steps to ensure more safety of their passwords to financial and/or billing services accounts, while 39% of people in the whole world prefer to use one or just a few passwords for the whole range of resources they visit. At the same time 63% of respondents admitted that their passwords are not hard to guess, and only 9% of users take extra measures to secure their passwords.
But if the majority of users generally know about such threats as malware – viruses and Trojans, the degree of awareness of the more exotic phenomena is very low.
For example, the information about cyber espionage campaigns like Red October and cyber weapons such as Mini Flame and Gauss is being closely followed by 3% of respondents at best. 21% have heard something about Red October, 12-13% have heard something about Mini Flame and Gauss.
But let us say that an average user is not very endangered by messing with that kind of stuff, if he or she is not engaged with banking or governmental organizations.
The same “graceless ignorance” is demonstrated by users en masse when it comes to much more common threats. For example, only 6% of the respondents know about zero day vulnerabilities and exploits. 21% “have heard something” and 74% have no idea what they are.
A similar pattern is observed in the case of botnets: 6% know what they are, 24% have heard something, 69% are totally unfamiliar with the notion.
Just 4% of the respondents truly know about Trojan Zeus/Zbot, which infected computers in 196 countries of the world, i.e. it didn’t make it to Antarctica only. With its help the operators of it “earned” about $70 million, but 23% of users only have heard something, 73% just do not know about it at all.
Thus, the majority of people still do not know what a botnet is… It must be said, it is partly the reason they are prevalent. No user is going to check a computer or a mobile device for a present malicious botnet if he does not know what it is.
In turn, the lack of knowledge of zero day threats is dangerous and quite concerning, too, since there are multiple mentions of vulnerabilities and exploits in mass media.
Totally, the picture is clear. The degree of awareness of users about the threats that go beyond “conditional” viruses and Trojans is perilously low and has to be upgraded. The most promising option here is IT security basic training of employees.