fabioberti.it – stock.adobe.com
While cyber leaders overwhelmingly believe their organisations have a strong security culture, new figures compiled by email security specialist Tessian have revealed that they may be deluding themselves, exposing an alarming disconnect between security pros and the rest of the business.
With three-quarters of UK and US organisations having experienced some kind of cyber incident in the past year, a significant proportion of employees seem to regard training exercises as something to be endured, rather than engaged with.
The report, How security cultures impact employee behaviour, found that while 85% of employees participate in security awareness or training programmes, 64% don’t pay full attention and 36% consider their organisation’s security training boring.
Overall, the report found a general consensus among security leaders over what goes into making up a strong security culture, but with incident volumes remaining stubbornly high, Tessian said it was clear that those at the top had a lot more work to do.
“Everyone in an organisation needs to understand how their work helps keep their co-workers and company secure,” said Kim Burton, head of trust and compliance at Tessian. “To get people better engaged with the security needs of the business, education should be specific and actionable to an individual’s work.
“It is the security team’s responsibility to create a culture of empathy and care, and they should back up their education with tools and procedures that make secure practices easy to integrate into people’s everyday workflows.
“Secure practices should be seen as part of productivity. When people can trust that security teams have their best interest at heart, they can create true partnerships that strengthen security culture.”
The report showed how training exercises – which in many firms comprise little more than “home-brewed” PowerPoint presentations cooked up by legal and compliance experts who have no real understanding of how people engage with educational materials – are failing to impact employees across the board.
For example, 30% of respondents said they didn’t think they had a personal role to play in keeping their company secure, while 45% did not know how to, or who to, report a security incident, and only one in three said they were satisfied with their IT or security team’s communications.
Meanwhile, over half of respondents said they saw nothing inherently risky in actions such as downloading apps to work devices, sending sensitive data to their own personal email accounts, sharing passwords internally, or connecting to open or public Wi-Fi networks on work devices.
And even when it came to clearly risky actions, such as clicking on links in emails from unknown sources or opening unsolicited attachments, leaving work devices unlocked and unattended and reusing passwords, well over 40% of respondents said they didn’t see a problem.
A big source of disconnection seemed to be a tendency among leadership to use security training to spread fear and uncertainty as a motivator.
For example, half of respondents to Tessian’s study claimed to have had a “negative experience” with a phishing simulation, as evidenced by the 2021 story of a phishing test at West Midlands Trains which went disastrously wrong.
The test appeared to be an email from company leadership detailing a thank-you bonus for employees who had worked through the pandemic, and many people clicked on the link, only to find themselves being ticked off for being insufficiently security-conscious. Union officials described the stunt as “crass and reprehensible”.
According to Karen Renaud, chancellor’s fellow at the University of Strathclyde, and Marc Dupuis, assistant professor at the University of Washington Bothell, such tactics can “cripple employee decision-making, creative thought processes, and the speed and agility that businesses need to operate in today’s demanding world”.
Tessian said there were several things security leaders should be doing to engage employees better with cyber security procedures.
For example, security leaders need to play more of an active role at key touchpoints during an employee’s “journey” with the organisation, such as onboarding, role or office changes, and offboarding. Tessian said onboarding new hires represents a great opportunity to capture people’s imagination before they become cynical and jaded, while more thoughtful and comprehensive offboarding processes can help prevent critical data going missing when someone leaves.
Another thing every security leader should be doing as a matter of course is to establish clear and regular lines of communication across the entire organisation, paying close attention to how much information they share, who it comes from, via what channels, and how frequently.
Tessian offered four key pointers on how to do this effectively:
Finally, it said, there are technological solutions which, sensibly deployed, can help establish cyber “self-efficacy” within the organisation.
Tessian’s report was compiled using data gathered by OnePoll, which surveyed 500 IT security leaders and 2,000 working professionals in the UK and the US.
Major antitrust cases are expected to play out in 2023 while federal regulators consider new interpretations of existing …
Research shows organizations are still struggling to bring in IT talent. We identify the reasons why there’s a shortage and what …
The threat of a recession coupled with the ongoing need for transformation and growth means CIOs must make force multiplying …
CrowdStrike is urging organizations to apply the latest Microsoft Exchange updates after investigations revealed attackers …
This Risk & Repeat podcast episode discusses the current state of OT security, including the convergence with IT environments and…
Looking to advance your cybersecurity career? Here are the skills you’ll need to win that CISO job, land a gig as a threat hunter…
Arista’s new switches provide more options for enterprises and higher speeds for bandwidth-hungry hyperscalers. The latest …
Telecom operators have committed to sustainability plans to reduce carbon emissions and energy use. But they also face challenges…
Nmap might be more common for security tasks, but it’s also useful for network documentation and inventory. Follow these best …
Data lakes and data warehouses both store big data. When choosing a lake or warehouse, consider factors such as cost and what …
Classical and quantum computers have many differences in their compute capabilities and operational traits. Know their …
Colocation companies offer a wide range of facilities and services that can help organizations reduce or eliminate the costs …
Expect more organizations to optimize data usage to drive decision intelligence and operations in 2023, as the new year will be …
These 10 roles, with different responsibilities, are commonly a part of the data management teams that organizations rely on to …
These eight challenges complicate efforts to integrate data for operational and analytics uses. Here’s why, plus advice on how to…
All Rights Reserved, Copyright 2000 – 2022, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information