Cybersecurity Attitudes and Behaviors Report

The National Cybersecurity Alliance (NCSA) has released their Attitudes and Behaviors report for 2021, and, honestly, it’s not great.  Well, the reporting is great, and it’s great that the NCSA conducts and releases this annual report.  But the content of the report contains some not-so-great behaviors among real users.


As we know, Multi-Factor Authentication (MFA) is a great way to combat potential account takeovers or just general bad password hygiene.  Even when MFA is used, Password Blacklisting still makes sense.  But if MFA is not in use, then Password Blacklisting is an absolute must!   Unfortunately, the report found that 52% of people have never heard of MFA.  This makes enforcing strong passwords even more important.  But why is this?  Well, 64% say they have no access to MFA, and another 10% say they do have access MFA, but choose not to use it.



Additionally, the data indicates a significant proportion of people simply do not see themselves as responsible for looking after their workplace’s sensitive information.  Over a third (40%) of the full-time and part-time employees participating in this report considered themselves to be the least responsible agency for their organization’s cybersecurity.  That means that nearly half of your employees don’t think it’s their responsibility to choose a strong password!  This statistic is alarming and makes the case for all businesses to deploy Password Blacklisting in order to prevent users from choosing poor passwords.



Speaking of passwords, the report also discovered some alarming, but simultaneously not surprising, statistics on real-life password behaviors.  Only 43% of participants reported creating long and unique passwords for their online accounts “very often” or “always”. However, almost a third (28%) stated that they didn’t do so.  A third of real-life users are knowingly choosing weak passwords!  That’s a big number!

But about the more middle-of-the-road, average password behavior.  It’s still not great.  A majority (58%) of the respondents say they only “sometimes” (30%), “rarely” (18%), or “never” (10%) create long (12 character) and unique passwords.  This is probably because use of a stand-alone password manager application, which would create these long unique passwords, was uncommon, with almost half (49%) of the participants noting they ‘never’ or ‘rarely’ used one.


Not Great.  But What To Do?

The full Cybersecurity Attitudes and Behaviors report (available here) contains lots more information and statistics.  But even with just the few takeaways mentioned above, it’s clear that more work needs to be done.  Deployment of Multi-Factor Authentication would absolutely help, but by 2021, the reason MFA isn’t completely pervasive is because of many real-life problems, including end-user adoption woes, cost to the business, supportability, and definitely incomplete deployments since businesses commonly support legacy systems which have no concept of MFA – or anything other than usernames and passwords, really.

Enter Password Blacklisting – the incredibly affordable and easy to use solution to the bad password problem.  Password RBL has drop-in support for Microsoft Active Directory (and anything linked to AD) and a dead-simple API that can be incorporated into basically anything else.  The return on investment (ROI) of a subscription to Password RBL makes deployment an easy choice – for IT and decision makers.  See our solutions in action and request a free quote today!