MediaPRO Research Reveals Almost Two-Thirds of U.S. Employees Unaware if the CCPA Applies to Their Organization

Employees are more aware of privacy risks and stakes but unsure of how they affect the workplace; persistent misconceptions about malware, phishing and cloud counter gains in cybersecurity savvy

BOTHELL, Wash. — MediaPRO’s just-released 2020 State of Privacy and Security Awareness Report highlights employee knowledge gaps across both the cybersecurity and privacy realms, including a lack of awareness of two major data privacy regulations.

“The benefits and rewards of digital technology are many, but so are the risks. As states race to address cybersecurity and data privacy risks with new compliance measures, businesses are under more pressure than ever to educate their employees, or prepare to face increasingly negative outcomes”

Notably, 62 percent of employees reported they were unsure if their organization has to comply with the recently-enacted California Consumer Privacy Act (CCPA), which gives California residents enhanced consumer data privacy rights. Results reveal a similar lack of awareness regarding the European Union’s General Data Protection Regulation (GDPR), in effect since 2018.

Based on an in-depth survey of more than 1,000 employees across diverse types of organizations and job roles, the report gauged understanding of cybersecurity and privacy and the level of risk organizations face due to a lack of awareness. The survey was conducted by Osterman Research.

The findings reveal progress in cybersecurity awareness. However, many respondents continue to hold false impressions about malware, phishing, and cloud file-sharing, putting their personal and employers’ data at risk.

“The benefits and rewards of digital technology are many, but so are the risks. As states race to address cybersecurity and data privacy risks with new compliance measures, businesses are under more pressure than ever to educate their employees, or prepare to face increasingly negative outcomes,” MediaPRO Chief Strategist Lisa Plaggemier said. “To adequately protect consumer data, companies must quickly transform employees from bystanders into security advocates, and that begins with awareness programs that engage employees and reinforce behaviors that align with security and compliance goals.”

The survey assessed employee engagement with and understanding of good cybersecurity and privacy practices (or lack thereof) across multiple risk areas. Overall results show more than 50 percent of respondents fall within the “vulnerable” side of the spectrum regarding their reported practices and attitudes.

“The survey revealed a number of key issues that decision makers should address right away,” said Michael Osterman, Principal Analyst of Osterman Research. “Among them is the need for more and better security awareness training, and improving employees’ perception of their role as a key line of defense for both security and privacy compliance.”

MediaPRO’s research surveyed U.S. employees across a variety of industries to gauge how well employees were implementing cybersecurity and privacy practices and the level of risk organizations face when employees do not understand them.

Many Employees Still in the Dark

  • Confidence and Security Awareness Remain Lacking Awareness of seemingly basic cybersecurity threats and best practices remains insufficient among many employees, putting them and their organizations at risk. More than a quarter admitted struggling to identify a phishing email, while just 17 percent felt “very confident” they could identify a social engineering attack. Only 27 percent of employees can identify at least two warning signs that malware has infected their computing platform, and two in five employees are unable to describe to senior management the negative impacts posed by cybersecurity risks.
  • Misinformation and Misconceptions Abound Cybersecurity awareness requires the ability to correctly distinguish cybersecurity fact from fiction, yet many employees have distorted ideas. For instance, one in seven employees believe that – much like the flu passes among people – malware can spread among devices in close physical proximity. A full 39 percent of employees mistakenly believe that simply leaving their computer unlocked can also result in a malware infection.
  • Privacy Regulations Remain Challenging Many employees require a better understanding of the privacy regulations and guidelines impacting their organizations, and the requisite steps to protect data. A majority of employees (more than 60 percent) don’t know if their organization needs to comply with most privacy rules and data protection guidelines such as the CCPA, Payment Card Industry Data Security Standard (PCI DSS), and GDPR. In fact, nearly three in five employees (58 percent) don’t believe storing sensitive data in an unsecured location or on their desktop / laptop computers or mobile devices (69 percent) could pose a potential policy violation.

But There’s Light at the End of the Tunnel

  • Social Media / File-Sharing Security Awareness is High The majority of employees (more than 50 percent) understand that oversharing on social media is a bad idea, as it can give cybercriminals the information and opportunity to craft more targeted attacks. More than half of employees understand using personal webmail for work purposes poses a risk to their organization, and 90 percent recognize the risk associated with using personally managed file-sharing or similar cloud solutions for work purposes.
  • Employees Possess Password Savvy The majority of employees are mindful of password best practices, using a unique password for every device and application (52 percent). When working from home 61 percent of employees agree it’s important to change their router’s default password before accessing corporate data or email.
  • Urgency of Updates is Understood Software updates serve an important role in protecting devices from viruses and malware, and ensuring security holes are quickly patched before cyber thieves can exploit them. The vast majority of employees (84 percent) understand that regularly installing software upgrades help protect against cybersecurity threats and prevent security breaches.

“Safely navigating the digital world remains confusing for many. Add to that an ever changing roster of seemingly byzantine rules and regulations and the effort can seem almost insurmountable,” MediaPRO Chief Learning Officer Tom Pendergast said. “This survey shows we still have a long way to go toward resolving employee clarity and consistency on cybersecurity and data privacy obligations and best practices; however, we’re encouraged that many of our respondents appear to be on the right track in putting their cybersecurity knowledge into action day-to-day.”

As the 2020 State of Privacy and Security Awareness Report demonstrates, a significant proportion of employees lack good cybersecurity practices. Recognizing that just one employee’s actions can make the difference in preventing or permitting damaging security incidents, MediaPRO training courses are designed to engage learners, change behavior, and reduce risk, For more information on MediaPRO, please visit

Click here to download the 2020 State of Privacy and Security Awareness Report.

Interested in learning more about effectively engaging employees to create a more risk- and privacy-aware corporate culture? Join MediaPRO at RSA Conference in San Francisco’s Moscone Center, February 24-28.

MediaPRO’s experts are speaking at RSA Conference; this year’s theme, “Human Element,” captures the importance of informing and empowering employees to defend their personal and employer’s data from multiplying risks.

About MediaPRO

MediaPRO security and privacy training solutions are used by organizations of all sizes to protect sensitive data, demonstrate compliance, and reduce the risk to their reputation and bottom line. MediaPRO covers security, privacy and compliance so you can address a more complete threat landscape. For more information, visit

About Osterman Research

Osterman Research provides timely and accurate market research, cost data and benchmarking information to technology-based companies. They do this by continually gathering information from IT decision-makers and end-users of information technology. They report and analyze information to help companies develop and improve the products and services they offer to different markets or to internal customers. Learn more at