The representative survey shows just how differently end-users and IT decision-makers think about data security – and what this means for IT security
Zurich, October 2022 – Cyberattacks continue to pose a massive problem. This makes it all the more important for companies and customers to adapt to the growing dangers and take effective countermeasures. The Nevis Security Barometer sees the Swiss specialist for secure login solutions gauge the mood with regard to IT security. The results of this latest study show that there is still work to be done. Particularly noticeable factors include the mismatch between customer expectations and the views of companies and – not least – a lack of knowledge among IT decision-makers.
For the Nevis Security Barometer, Nevis teamed up with the opinion polling companies Civey and mo’web research to conduct an online survey of 500 German IT decision-makers and 1,000 German consumers aged 14 and over. Topics covered included password security and login behaviour.
Many sources of danger
Companies are also clearly noticing a steady rise in the number of attacks. If their data inventories are attacked by hackers, companies are not only at risk of direct financial losses – for instance, if money is transferred illegally – but may also suffer an enormous loss of public trust and the departure of customers. Most of the IT decision-makers surveyed for the Nevis Security Barometer also believe the danger is growing. Approximately 57 per cent say they have noticed an increase in cybercrime in their professional environment in the past year, while 39 per cent think the problem has remained more or less at the same level. A total of 54 per cent of IT professional also said that their own company had been the target of a cyberattack in the past twelve months. Based on their statements, a quarter (26.4 per cent) of the attacks registered can be attributed to ransomware. This is followed by Denial of Service (DoS) with 20 per cent, brute force attacks (18 per cent) and social engineering (17 per cent). The relatively low number of credential stuffing attacks reported, at 6 per cent, is striking and suggests that many cases go unreported. That is because this type of attack involves the use of stolen login data, which means that they often go undetected for long periods.
The fact that companies do not always respond in the best possible way if they uncover an attack on their IT systems is clear from the results of the consumer survey. Companies are legally obliged to inform their customers immediately of security breaches and possible consequences. In reality, only 41 percent of consumers who were affected by a cyberattack said that they were informed by the company in question – a substantial worsening of the information situation compared with the previous Nevis Security Barometer, which reported a figure of 48 per cent. On the other hand, the topic now seems to feature much more frequently in the media with 34 per cent of those affected confirming that they heard about the loss of their data from this source. In 2021, just 15 per cent of participants in the study made the same claim.
A lack of information among IT decision-makers
Last year’s Nevis Security Barometer also revealed an alarming tendency. The way that many companies go about protecting their data is far from satisfactory – and many of the IT decision-makers surveyed really need to brush up on their knowledge of the procedures required. There are no signs of improvement in these critical points in 2022. Once again, the most frequently cited precautions are prescribing minimum password lengths (65 per cent) and the requirement to make regular password changes (41 per cent). Just 34 per cent rely on two-factor authentication using SMS, while a mere 21 per cent use biometric two-factor authentication. Another particularly alarming finding is that some ten per cent of the surveyed IT managers report that they do not take any precautions to enhance IT security. And when it comes to cybersecurity standards such as FIDO, Oauth or WebAuthn, just half of those surveyed appear to be reasonably well-informed. However, the other half (47 per cent) are, by their own admission, not familiar with any of the common standards.
The dangers from the customer perspective
And how aware are consumers of the dangers regarding IT security? Here, the Nevis Security Barometer shows that the fear of cyberattacks and concerns about personal data remain high. Just five per cent of those surveyed have no concerns whatsoever about the security of their data. The figures for this are virtually unchanged compared to the previous year.
What specific issues are consumers concerned about? Approximately 68 per cent see the misuse of personal data as the greatest danger. With response rates of 59 per cent respectively, the fear of internet fraud as well as the fear of third parties taking control of internet accounts also rank high in the list of dangers. However, concerns about government surveillance are comparatively less pronounced. Just 28 per cent of those surveyed see this as a danger – a drop of seven per cent compared with the previous edition of the Nevis Security Barometer.
At the same time, private users certainly do not always take security as seriously as they should: the survey revealed that 54.4 per cent admitted to using the same password for multiple accounts – an absolute no-no for security experts. Despite this carelessness, most users are well aware of the basics of password security: 59 per cent use particularly complex passwords that cannot simply be guessed by hackers, and at least 44 per cent use different complex passwords for different accounts. There is scope to expand the use of modern security processes. For instance, just 34 per cent rely on the exceptional security offered by two-factor authentication to log into their accounts. When it comes to biometric authentication – for example, FaceID or fingerprint – the figure is just 17 per cent. The fact that this is because many companies do not yet use these processes is clearly shown by the comparison of customer expectations and assessments by IT professionals.
Customers and companies have different expectations
For service providers operating on the internet, this is a dilemma: although customers may have work to do themselves in terms of IT security, they have high expectations of how companies deal with data protection and cybersecurity – expectations that companies do not always fulfil. This is particularly noticeable in relation to two-factor authentication. Whereas only 4 per cent of IT experts assume that customers would like to use two-factor authentication (2FA) to secure their accounts, the actual figure for customers is 64 per cent! No less than 45 per cent of consumers surveyed would feel more secure if they could use their biometric data to log in. Conversely, 57 per cent of IT managers assume that customers are very unwilling to use this exceptionally secure process.
Just like last year’s Nevis Security Barometer, we observed major discrepancies between the security needs of users and the assumptions made by IT managers about this need for security,’ explains Stephan Schweizer, CEO of Nevis Security AG. ‘Companies must bridge this gap if they want to retain the trust of their customers over the long term while at the same time effectively protecting their data inventories. The tools that can bring IT security up to the latest standards are already available and ready to use. Software-based customer identity and access management systems are the new standard here. The future belongs to passwordless authentication – and major players such as Apple, Google and Microsoft are actively working to implement a login process without passwords to make it more secure and more convenient.’
The Nevis Security Barometer is available to download from the following link: www.nevis.net/en/nevis-security-barometer
Nevis develops security solutions for the digital world of tomorrow. Its portfolio encompasses passwordless logins, which are intuitive to use and offer optimal protection for user data. Nevis is the market leader for Identity and Access Management in Switzerland and secures over 80 percent of all online banking transactions. Public authorities, leading service providers, and industrial enterprises worldwide rely on Nevis solutions. The authentication specialist has locations in Switzerland, Germany, and Hungary.
LEWIS Communications GmbH
Ingo Geisler, firstname.lastname@example.org