In its fifth year, the annual Oh, Behave! report is back to give us another temperature check on the security attitudes of the masses.
The findings provide a window into what people know about cybersecurity, what they think they know, and what they’re doing about it. Or not.
57% Always Connected to the Internet
Does it look like people are always on their phones? Because they just might be. According to the survey, 57% are “always connected” to the internet. Here are some of the key stats on who is always online:
Over 65% of Gen Zs and Millennials
Only 26-35% of Baby Boomers and the Silent Generation
79% in Brazil
70% in India
55% in Australia
54% in Mexico
50% in the United States
Being ever-connected means more than just getting a great Wi-Fi signal. It means more chances to get pwned online. And that’s exactly what attackers want.
It’s unfortunate so many go it alone when it comes to cyber safety. Over four in 10 (43%) said they don’t count on anyone to keep them safe online; not IT companies, not family, no one. But interestingly, nearly half (46%) reported that others looked to them for help.
Is Cybersecurity a Top Concern or Background Noise?
Survey says? We kind of like it.
According to this year’s report, 82% now believe staying safe online is a priority. Encouragingly, 77% think staying safe online is worth the effort, 74% hold it’s possible, and 69% say it’s downright achievable. Those are great stats.
However, not all are firm believers with 43% saying cybersecurity is intimidating, and 42% calling it frustrating. Both can be true.
Additionally, many people fear the misuse of their data by government entities, with slightly over half fearing misconduct from foreign governments and their own. Among younger generations (Millennials and Gen Z), these numbers are over 10% higher than older generations.
Unfortunately, confidence does not equal competence. One out of every two respondents believe their devices are secure “automatically.” And 53% consider online protection to be expensive. Whether or not that 53% has actually invested in it is unclear.
Worried and Accepting of the "Inevitable"
Perhaps those who prioritize cybersecurity were speaking from their experience. Nearly half (44%) of respondents reported being “personally victimized” online in 2024, and 68% are worried about it.
And surprisingly, some have just given up on cybersecurity. A strong percentage believe that losing things like money (31%) and personal information (40%) online is now “inevitable.” Perhaps that is because over 60% doubt the ability of law enforcement to protect them, as well as the ability of defenders to keep pace.
But even with these doubts, many are secure in their ability to address a certain type of attack themselves.
We Could Catch Phish. If We Wanted To.
Here’s the good news. Two-thirds (66%) of respondents are highly confident they can spot a phishing scam. And in the age of GenAI where spotting fakes can be more challenging, that’s really saying something.
Now, for the bad news. The number of people looking for and reporting phishing has declined. Only 45% do so “always” or even “very often” report a phishing message.
So, when we do check for and report phishing, what clues are we relying on? Respondents said their top three phishing red flags are:
Whether it was sent from a legitimate email address (55%)
If it asked for sensitive or personal information (54%)
Poor grammar and spelling errors (53%)
How Many Have Shared Sensitive Data with AI?
Perhaps attackers don’t have to phish us. Perhaps they can wait for us to phish ourselves. Alarmingly, 43% of respondents reported sharing work-sensitive information with AI models without telling their employers.
Let’s just let that sink in.
Not only is the data out there, but the security teams within those organizations have no idea about it, so they can’t even double-down on defenses. If it’s not already too late.
Sure, employees should know better, but isn’t it also the responsibility of employers to teach them about AI data privacy? So far, over half (52%) of all participants have not received training on AI cybersecurity, even though 65% now report using it.
But that can be remedied.
How Do I Train Thee? Let Me Count the Ways
Again, the good news. When organizations decide to train their employees, it really works.
Security awareness training was the single most impactful way to boost users’ ability to identify and report phishing emails. An impressive 47% reported an improved ability in spotting a phish, and nearly as many started using MFA after their security awareness training. We can only assume the effect on safe AI usage might be the same.
So, what works best? Users preferred video content to interactive modules (that tested their knowledge) by a factor of three-to-one. But this preference does not indicate effectiveness. Whether users liked videos best because they could slide to the end might be a question for another survey.
Train Your Team to Be Your Strongest Defense
Strong cybersecurity is a combination of man and machine. The right technologies matter, but it’s humans at the tip of the spear, doing dangerous things like opening phishing emails and dumping sensitive data into AI.
It all starts with the right tools and a strong security culture. If you’re looking to enhance your organization’s cybersecurity awareness, connect with Fortra Human Risk Management to transform human behavior into your strongest cyber defense.
