The French are aware of cyber risks but… are they truly responsible?

Who is afraid of the « big bad » cyber risk? Companies, for sure, and rightly so. According to the Cesin (Club des Experts de la Sécurité de l’Information et du Numérique) 2022 survey, more than one out of two companies has suffered a cyber attack in the previous year. 60% of them say they are concerned about sovereignty and trusted cloud issues, while 55% rate the risk of cyber espionage as « high« .

Does this mean that the general public doesn’t care about phishing campaigns, ransomware and other data compromises, or even white-collar crimes that sometimes make the headlines, but is hardly affected by them in their daily lives? Quite the opposite. Survey after survey, our fellow citizens claim to be greatly concerned by this scourge.

In March 2022, the IFOP conducted a survey for Galeon.care, a website specializing in medical data protection, entitled « Personal data, presidential elections, hospitals: cyber anxiety ». Of course, the context of this study was enough to arouse the concerns of the French: the Russian-Ukrainian war had just begun and the cyber aspect of this conflict was making the headlines.

Combine that with the upcoming presidential election, which had many commentators speculating about the risk of cyber interference in the election process, and it’s easy to see why 89% of respondents rated « the risk of cyberattacks and data hijacking as « high. »

A very widespread “cyber anxiety”

The election itself did not generate excessive anxiety, since only 17% of French people said they were « very worried » about a cyber attack aimed at distorting the result of the vote, and another 29% said they were « worried« . As for the rest, the concerns of private individuals are similar to those of professionals: 88% of them fear for their banking data, 86% are afraid of identity theft, while 70% are afraid of having their photos or videos stolen.

These results were corroborated by a survey conducted by Ipsos on behalf of Sopra Steria barely a month later. 86% of French people said they were worried about the risk of cyber attacks in France or in the world. Is this the result of being well informed about the risks involved… or of the increasing popularity of hacker films? The survey revealed that 72% of respondents feared the breakdown of public services (like the one that hit Costa Rica), while more than two thirds feared power outages, a disruption of emergency services or nuclear disasters. Only 59% feared disruptions in food supply chains, a scenario that has already been experienced in Great Britain and the United States.

Concerning the personal consequences of cybercrime (theft of bank data, identity theft…), the Ipsos survey is in the same order of magnitude as the IFOP survey.

Nearly one in two French people are hacked

And if the French are so sensitive to cyber risk, it may simply be because, like businesses, they are hit by hackers of all kinds. « More than two out of five French people (41%) have already been hacked in their lifetime, including 7% in the last twelve months, » says the IFOP. According to Ipsos, 48% of respondents have been victims of at least one hacking attempt, either successful or not. In other words, almost everyone knows someone who has been a victim, which is enough to raise awareness of this sensitive issue.

Well-informed, aware of the risks, and having sometimes experienced them… have the French adopted a cautious and righteous behavior on the web? This is where the problem lies. Nearly 80% of them admitted to Ipsos that they do not read the terms and conditions of the sites they visit and 73% are obliged to transmit personal information on the Internet, to complete a transaction, for example.

And it’s no better in their professional lives. CISOs are well aware that the pandemic and its lockdowns and curfews have made remote working the standard way of organizing in many companies. And they also know the consequences for their organization’s IT security. According to Proofpoint, 91% of French organizations have been the target of cyber attacks in 2021. 65% have even suffered multiple attacks.

When you prefer to ignore the rules

And as is often the case, the risk factor lies between the chair and the screen. IT security managers can put in place the most effective tools and protocols, but if they are not used and followed, it’s a waste of time. Phishing and ransomware campaigns are more often successful because of poor employee handling than because of the sophistication of the code.

The University of Central Florida investigated why employees did not follow instructions designed to protect their companies, as well as themselves. The study, published in January 2022, looked at more than 330 individuals who worked remotely. While the declarative nature of the study inevitably left unintentional security breaches in the shadows, it was nonetheless quite informative. With 67% of survey participants failing to comply with their company’s cybersecurity policy at least once in 10 days of work, we can see how far we have to go to achieve full compliance.

What is even more interesting is the motivations of the perpetrators: only 3% of them said they wanted to harm their company. The three most common motivations, accounting for 85% of responses, were « to do my job better, » « to get something I needed, » and « to help others do their job« . This last one (18% of responses alone) is certainly a great opportunity for phishing or scams.

Combining cybersecurity and performance

To put it plainly, certain cybersecurity rules were deliberately ignored when they presented an obstacle to the employee’s productivity, a factor that was all the more prevailing when the employee was stressed for personal or professional reasons. Such stress was sometimes caused by the security rules themselves, which were perceived as an obstacle to the completion of a task or merely to the work habits of the study participant.

Therefore, its authors point out that a significant number of voluntary human breaches occur between ignorance and malice, which could therefore be avoided. In order to do so, they recommend that employees be better involved in defining the rules they will have to apply. As for managers, they should better integrate cybersecurity compliance into their teams’ performance indicators so that it is not perceived as a constraint.

The good news is that the majority of French people are aware of the risks. This is a good start.