With employees not believing that it’s important to personally worry about cyber security risks, they also tend to believe they’re not a target, new data suggest as the reason for the risky behavior.

In most cyberattacks, the employee plays some role – clicking on a malicious attachment, giving up their corporate credentials to an impersonated logon page on the web, or taking specific action because they were fooled into believing their CEO or boss told them to. So, it’s important for employees to not engage in risky online behaviors.

But according to new data from security vendor Thycotic, employees simply aren’t prepared and educated to think about corporate risk, let alone their role in helping to mitigate that risk. In their newly released Balancing Risk, Productivity and Security report, Thycotic point out some specific insights that clearly point to how and why employees are creating risk:

• 45% see the organization being at little or no risk of cyberattack
• 51% say IT should be solely responsible to protect the organization from cyber threats
• 79% of employees have engaged in one or more risky activities that include sharing credentials with colleagues, using the same password across multiple sites, using unauthorized personal devices to conduct work, and allowing family members to use their corporate device

One of the reasons is clear from the report’s data: 56% of employees have received no Security Awareness Training in the last year. Over half of employees aren’t having the concept of needing to be vigilant continually reinforced – so it’s no wonder these organizations are seeing employees introduce risk regularly.

If you want a vigilant and cyber security-minded employee, you need to continuously teach them about the importance of cyber vigilance. Otherwise, you’re going to end up with an organization that is demonstrated by the Thycotic data.