Survey: Americans have shallow understanding of cybersecurity
SAN DIEGO — When it comes to cybersecurity, Americans recognize the need for strong passwords and know that public Wi-Fi hotspots aren't necessarily safe for online banking or e-commerce.
But U.S. adults are not as good at recognizing email "phishing" schemes or determining if the website where they're entering credit card information is encrypted.
That's according to a new Pew Research Center survey titled "What the Public Knows about Cybersecurity." It tallied responses from 1,055 adults last year about their understanding of concepts important to online safety and privacy.
The results were mixed, highlighting that public awareness of online security measures remains a potential weak link in thwarting cyberthreats.
"It is probably our No. 1 concern and No. 1 vulnerability," said Retired Rear Adm. Ken Slaght, head of the San Diego Cyber Center of Excellence, a trade group for the region's cybersecurity industry. "These attackers keep upping their game. It has gone well beyond the jumbled, everything misspelled email."
Digital security firm Gemalto recently said 1,792 data breaches occurred worldwide in 2016, with 1.4 billion digital records compromised — up 86 percent from the prior year.
Gemalto, based in The Netherlands, did not include the 1.5 billion record exposed in the Yahoo! breach because it technically occurred in 2013-14. It was discovered last year.
"One of the biggest problems is people have become numb to this," said Slaght. "We all have had our credit card hacked. You just get a new one and life goes on."
The Pew Research survey asked 13 questions about cybersecurity. The median score was five correct answers. Just 20 percent answered eight questions correctly.
A relatively large percentage of respondents, however, answered "not sure" to questions rather than providing the wrong answer.
Participants had a good understanding of some basic security practices such as the importance of strong passwords and less knowledge of others — particularly more technical aspects of web safety such as multifactor authentication and virtual private networks.
"One of the things you see from the Pew study, as you drill down in security knowledge, the numbers really do drop off," said Stephen Cobb, security researcher for antivirus software firm ESET. "I was disappointed that only 33 percent were aware of what the 's' in 'https' meant."
It stands for secure, with website authentication and encryption of digital traffic. It is used mostly for online payments. Security researchers often suggest computer users examine the website addresses — known as the URL — as a first step before they click on a link.
"You wonder if people know what a URL is," said Cobb. "Do they know how to read a URL? So there is plenty of work to be done" in terms of public awareness.
Only 54 percent of respondents correctly identified a phishing attack. For cybercriminals, phishing remains a favorite trick for infecting computers with malware. Phishing schemes usually involve an email that directs users to click on a link to an infected website.
Computer security software does a good job of blocking most phishing schemes, said Cobb, including many sophisticated spear phishing attacks targeting individuals with personalized information.
Even so, cybersecurity technology can't yet deliver a "completely automated response to phishing," he said. "So we have to proceed with user education and with attempts to make phishing a poor career choice" by prosecuting those who do it.
Other findings in the Pew survey include:
• 75 percent of participants identified the most secure password from a list of four options
• 52 percent of people knew that turning off the GPS function on smartphones does not prevent all tracking. Mobile phones can be tracked via cell towers or Wi-Fi networks.
• 39 percent were aware that Internet Service Providers still can see the websites their customer visit even when they're using "private browsing" on their search engines
• 10 percent were able to identify one example of multifactor authentication when presented with four images of online log-in screens.