Security Awareness Problem No One Talks About – Ep 552 

Cybersecurity awareness is at an all-time high… so why are we still clicking the same sketchy links like it’s a hobby? In this episode, we dig into the uncomfortable truth: people know what to do, they just don’t do it. Between overwhelming workloads, nonstop digital noise, and a growing sense that “it’s inevitable anyway,” security has turned into that thing we all agree is important, right before we ignore it to get our jobs done faster.

In this episode:

Security Awareness Problem No One Talks About – Ep 552

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Security Awareness Problem No One Talks About

Remember Donna’s 3 Rules of Security:
First, security is not convenient. If it were convenient, everyone would already be doing it.

Second, security is not optional. The threats don’t care whether you feel like dealing with security today.

And third, the hardest rule of all: security can’t prevent people from doing their job effectively and efficiently. There has to be balance.

If security stops people from getting their work done, they will work around it every single time. And that’s exactly what this new behavior report is showing. People actually understand security better than they used to… but when security conflicts with getting their work done, productivity wins.

The annual report on Cybersecurity Attitudes and Behaviors.

Oh Behave! Cybersecurity Attitudes and Behaviors Report: 2021–2025

Excerpts from opening by the CEO of CybSafe:

Trends drag the awkward stuff into the light. Like the fact that time pressure as a barrier to reporting phishing is up, not because people are busier, but because security has slipped into the ‘nice if we have time’ column when the deadlines are looming. Or that security fatalism (believing efforts are pointless) has nearly doubled in three years.

Why this one isn’t for the ‘I’ll get to it later’ pile We’re at a crossroads. The data shows people aren’t apathetic, they’re exhausted. They’re not ignorant, they’re overwhelmed. And they’re not careless, they’re making rational trade-offs in an environment that makes secure behavior feel like the hardest option.

So buckle up. This report is big, sprawling, and occasionally uncomfortable. You’ll see where we’ve made progress, where we’ve stalled, and where we’re quietly sliding backward on a wobbly office chair. You’ll see why awareness campaigns aren’t enough, why training keeps bouncing off busy brains, and why motivation, not knowledge, is now the biggest barrier to security action.

Most importantly, you’ll see the trends. And once they’re on your radar, they’re not just going to politely disappear. Here’s to five years of data, five years of insights, and the (slightly sweaty, extremely necessary) hard work ahead to close the gap between what people know and what they actually do.

Key Findings

Awareness is rising, but behaviors have not kept up

• Awareness of multi-factor authentication (MFA) rose from 52% in 2021 to 77% in 2025
• Yet, regular MFA use fell to just 53% after peaking in 2022

Human constraints are the primary barrier

• Worry about cybercrime has climbed from 57% of respondents in 2022 to 68% in 2025
• 31% of participants now believe losing money online is unavoidable, up from 25% in 2022

Cybercrime is becoming normalized

• In 2025, phishing accounted for 40% of reported incidents
• Online dating scams rose from 22% of incidents in 2022 to 29% in 2025
• Cyberbullying affected 23% of respondents in 2025, up from 13% in 2022

Drops in several important behaviors

• Password hygiene
• Use of MFA
• Patching devices and software applications
• Phishing defenses

Unfortunately, one of the report’s bigger points is normalization of victimhood, not just increases in incidents.

The angle they emphasize is: People increasingly believe being a victim online is inevitable.

People believing losing money online is unavoidable rose from 25% to 31%.

That’s not just crime increasing. It’s people giving up. That’s an important nuance.

People think protecting themselves is pointless because their data is already out there.

That plus now the majority of people are online most of the time. Very few use the internet less than several times a day.

People underestimate how many accounts hold their personal data. The improvement isn’t that they have fewer accounts. It’s that awareness of exposure is slightly improving.

We’ve known for years security isn’t convenient (Rule #1). The report basically confirms people tolerate inconvenience for a while… until they don’t.

People are at least more aware that security is not optional (Rule #2).

When security slows people down, people bypass it.

But they believe it can be done, they just don’t have the time to devote to it nor the motivation to change it.

This is where Rule #3 comes in, Security must not prevent people from doing their job. It is the hardest one to address but it has always been that way. We struggled to get everyone on the same page with rules 1 and 2 at least we can now all try to work out rule 3 together.

Guess what! Even though they are more accepting of protecting their own information it is still not their responsibility to protect workplace information.

That belongs to the IT and Security teams. What happens when you don’t have an IT and Security team though? They didn’t ask that question.

When asking about training this is where we can really take note and consider making some changes to how we are doing things. Training requirements and frequency data is interesting.

They said that annual training gains fade at 6 months and show no real value in the long term. ”This evolution may reflect a growing recognition that the traditional once-a-year, generic training approach has no or limited long-term impact on behavior change and risk reduction, as demonstrated by numerous research in the field.”

The next two charts are really interesting to review.

The researchers say the biggest barrier to secure behavior is no longer knowledge. It’s:

• fatigue
• overload
• competing priorities
• workflow pressure

That’s exactly what rule #3 is describing.

People are making rational decisions to prioritize productivity.

In healthcare that’s even more pronounced:

A nurse trying to get meds to a patient
A doctor rushing between rooms
A front desk staff handling 5 patients at once

If security slows them down, they will bypass it. Not maliciously. Just practically.

That’s the balance problem.

So where does that leave us? Somewhere between knowing exactly what to do and still not doing it. The real challenge isn’t more training, it’s changing habits in a world that rewards speed over caution. If security is going to improve, it has to fit into how people actually work, not how we wish they worked. Otherwise, we’ll keep checking the box… and missing the point.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.