As security becomes more complex organizations are tasked with making sure that it’s not just the IT department on the lookout for the next threat since malicious actors can get in from anywhere, particularly in a multi-cloud environment. Employees are being trained on cybersecurity best practices, and are adding words like ‘ransomware’ to their lexicon. But it still may not be enough.

Cybersecurity training provider Wombat Security Technologies released the results of a survey this week that looks at the personal security behaviors of more than 2,000 U.S. and U.K. workers at work and at home. It’s worth noting that the study was conducted less than 24 hours before the WannaCry ransomware attack last month.

The results shed some light on the level of knowledge around cybersecurity by the average worker, which obviously differs greatly from that of cybersecurity professionals, who Wombat said tend to overestimate the knowledge the general public has on cybersecurity risks.

“This could be giving security professionals false confidence and may be the reason why just fewer than half of organizations have a security awareness training program for their employees,” Wombat VP of marketing Amy Baker said in a statement.

The survey found that between U.S. and U.K. respondents, 50 percent of U.S. workers have been the victim of identity theft, compared to 19 percent of those in the U.K. Wombat said that this discrepancy could come down to awareness of cybersecurity best practices in general. For example, 54 percent of U.S. respondents believe a trusted location – such as a hotel or an airport – indicates a trusted WiFi network, compared to 27 percent of U.K. respondents who shared this belief.

There is also a discrepancy between U.S. workers and U.K. workers in terms of their trust in antivirus software; in the U.S., 58 percent of respondents said that antivirus software would be able to stop a cyberattack, compared to 37 percent of U.K. respondents.

U.S. workers are more likely than their U.K. counterparts to use a password manager, 38 percent compared to 10 percent, respectively. A recent report by Pew Research Center found that the majority of Americans (65 percent) memorize passwords in their head, while 18 percent write them down on a piece of paper; only 3 percent used a password management program.

From an IT pro perspective, there are a lot of takeaways from the report, including the risks associated with employees using work devices for personal activities like shopping online and playing games. According to the survey, 71 percent of U.S. workers use their corporate laptop or smartphone at home, and nearly half (46 percent) allow family members and friends to check and reply to email on those devices, so even if you warn employees about security risks like phishing, their friends and family may not get the same message.

Employees, and employers, are going to have to do a much better job as the Internet of Things (IoT) complicates the security landscape even further.