KnowBe4, the provider of security awareness training and simulated phishing platform, has conducted a survey during Infosecurity Europe, which evaluated the opinions of nearly 200 security professionals towards security culture, or more specifically: the ideas, customs and social behaviours of an organisation that influence their security practices.
The research found the threat of cyber warfare (30%) or experiencing a data breach or cyberattack (30%) were the two biggest reasons why security professionals wanted to improve security culture at their organisations. Given the current invasion of Ukraine by Russia and the resulting cybersecurity warnings announced by many of the world’s leading governments, improving current cybersecurity efforts has continued to be a top priority for many.
The study also revealed just over two thirds (67%) answered that a strong security culture would very likely reduce the risk of security incidents, with the majority (85%) directing their efforts into both improving security awareness training and communicating values expected from employees regarding security.
However, there are many obstacles when attempting to create a strong security culture, with the main issue being a lack of budget (26%) which was followed security professionals facing indifference from fellow employees (24%) and a lack of senior management support (16%).
Interestingly, just under three quarters (73%) admitted to putting an increased effort into measuring employees understanding of security – this still leaves a considerable gap of 27% that do not, something many security professionals will want to consider closing. Thankfully, 38% agree this aspect of security culture would be an area they want to improve in their organisation. When witnessing a colleague display poor security practises, 67% of UK security experts would prefer to tell the individual discreetly, while just under a third (31%) would send the member of staff training material to review. Only 18% would report the individual to the security team.
“Reprimanding or berating a member of staff is not conducive when trying to create a strong security culture,” said Javvad Malik, lead security awareness advocate at KnowBe4. “Traditionally, security teams have been negatively perceived but it’s now evident the tide is changing with security personnel being more understanding and constructive with their approach. This is beneficial when trying to enhance the security knowledge of the wider workforce because building trust, having open dialogue and a better rapport with employees, will lay the foundations for improved security awareness and culture. Having a collaborative mindset is needed, especially during this period of heightened cybersecurity concern.”
Other findings from the report include:
- 84% claim they direct most of their security culture efforts into laying security policies or procedures in place and then measuring their effectiveness. Just over three quarters (76%) say empowering employees to make smarter security decisions instead of reprimanding for insecure actions was where they focussed efforts.
- Just over a quarter (28%) state having security awareness advocates from within the company was the most effective way of communicating security awareness messages. A further 25% said gamification, while 12% said having instant or prompt training at the point of mistake was most effective.
- 43% of respondents said the Security Team or CISO takes charge of creating their organisation’s security culture, while 28% said the IT department took responsibility.
“Addressing the human element of security must become a focal point for today’s security teams,” said Stu Sjouwerman, founder and CEO of KnowBe4. “As we continue to research further into security awareness and security culture and what drives these elements, we are reminded of how critical the human-layer is to an organisation’s defence. Having a strong security culture holds the power to shape the behaviours, norms, attitudes, and mindsets of employees toward cybersecurity and this in turn will reduce the overall risk for an organisation.”
For the full survey results analysis by Javvad Malik, lead security awareness advocate at KnowBe4, check out the blog: https://blog.knowbe4.com/breaches-cyberwar-driving-security-culture
