While most workers believe they can spot a phishing attempt, nearly one-in-four under-35s would fall for a suspicious message if they thought it came from a colleague or boss.
Four-in-five British workers told Accenture researchers they were confident they'd spot a suspicious message, even though more than a third have never received cybersecurity training.
Men show the biggest faith in themselves, being nearly twice as likely as women to report high confidence in spotting cyber threats, at 22% compared with 12%.
But younger workers in particular may be wrong about this. The survey of over 1,000 British employees found that 15% would share company data or make payments via messaging apps, without verifying the sender, if the message seemed to come from a leader or colleague.
Among under-35s, so those in the millennial and Gen Z demographics, this rose to nearly a quarter (24%).
“With cyber criminals weaponizing information from social media to deceive people with realistic messages or calls, employees must make faster judgement calls on what’s real and what’s not," said Kamran Ikram, Accenture’s security lead in the UK and Ireland.
"The workforce feels cyber confident – though its uneven among men and women – there remains a serious skills and training gap across the board. Being overconfident yet undertrained is a dangerous position to be in."
More cybersecurity training is needed
Notably, more than one-third (37%) of British workers have never received any cybersecurity training, including 44% of over-55s. Meanwhile, only one-in-five have been trained to recognize deepfakes or AI-generated phishing emails.
This lack of training is more significant in smaller companies, where 79% of microbusinesses with less than 10 employees and 55% of small firms with between 10 and 49 employees offer no cybersecurity training at all.
"Organizations must look to be resilient in every area of their operations and supply chain, which means ongoing education on cyber threats," said Ikram. "Businesses can’t rely on patchy preparedness when attackers are advancing by the day.”
Even when employees are receiving training, it's not adequately covering all the risks, Accenture found. Half of those that have been trained said they've received no guidance on using AI safely, such as what data should not be shared with public tools or how to identify AI-enabled attacks.
As a result, 17% have no awareness of AI-driven cyber threats while only 61% are aware of deepfake videos or AI-generated phishing emails, and fewer than half are aware of voice cloning or identity theft.
“AI is bringing immense opportunity to business, but it also is changing the risk landscape as criminals increasingly incorporate AI into their arsenal," said Ikram.
"Today, awareness of AI-enabled attacks is still uneven, and that gap is where the next wave of breaches will likely happen. But more than that - building a cyber-savvy workforce isn’t just about protecting your systems, it’s also what allows innovation and trust to scale together.”
Workers do at least have a sense of collective responsibility. While a quarter of British employees believe that the IT or security department is most responsible for protecting a company against cyber threats, more than twice as many accept that it's a joint responsibility across the organization.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
MORE FROM ITPRO
- Are we in a cyber awareness crisis?
- Employee phishing training is working – but don’t get complacent
- Best online cyber security courses
-
Tapping into the ’touch grass’ movement in cybersecurityIndustry Insights With cybersecurity experiencing a ’touch grass’ moment, what role should resellers play?
-
Cyber resilience in the UK: learning to take the punchesColumn UK law now puts resilience at the centre of cybersecurity strategies – but is legislation simply catching up with enterprise understanding that resilience is more than just an IT issue?
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Google wants to take hackers to courtNews You don't have a package waiting for you, it's a scam – and Google is fighting back
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
-
Been offered a job at Google? Think again. This new phishing scam is duping tech workers looking for a career changeNews A new Google Careers phishing scam is targeting tech workers looking for a change of scenery – here's how to stay safe
-
Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since JulyNews Whisper 2FA is now the third most common Phishing as a Service tool worldwide
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
-
Hackers are abusing ConnectWise ScreenConnect, againNews A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
-
Employee distraction is now your biggest cybersecurity riskNews Workplace distraction is the top reason organizations fall victim to cyber attacks, according to new research.
