Building strong security culture fundamental, and lacking - KnowBe4
Business security has been at the forefront of Australian's minds following high profile data breaches last year, but IT decision makers are still struggling to build a culture of security in their organisations, according to new research from KnowBe4.
According to the research, only one third of IT decision makers across Australia know what 'security culture' is, and think their organisation has a good security culture.
Jacqueline Jayne, Security Awareness Advocate APAC at KnowBe4, says, "More than a quarter (27%) of IT decision makers have never heard of the term security culture (more than two in five, 43%, office workers say the same). Of the remaining three quarters (73%) of IT decision makers who say they have heard of 'security culture' before, only three in five (63%) know what it means.
"Every organisation already has a security culture whether you like it or not. The challenge is to understand it as it stands today, define what you want it to be and go about making that happen."
According to KnowBe4, one in ten (11%) say they know what 'security culture' is, but don't believe their organisation needs it. A further one in ten (9%) say they know what it is, and that their organisation needs to have one place, but don't know how to achieve it and 7% say they don't have one in place, while 6% think it is someone else's responsibility.
When it comes to defining security culture, those IT decision makers who have heard the term, most commonly say that, to them, 'security culture' means recognition that security is a shared responsibility across the organisation (67%) and having an awareness and understanding of security issues (64%).
Three in five (59%) believe it means compliance with security policies, over two in five (44%) think it means that security is embedded into the organisations culture, and more than a third (36%) say it has something to do with establishing formal groups of people that could help influence security decisions.
Jayne says, "It is important to note that the phrase security culture is beginning to find its way into the lexicon of IT leaders. But there is a problem IT decision makers have vastly different definitions of security culture, which makes it almost impossible to measure and work towards.
"At KnowBe4, we define security culture as the ideas, customs and social behaviours that influence an organisations security. A common definition makes it possible to discuss the same thing, in the same way. We all know that if you do not measure something, that something does not exist."
When it comes to security across the broader organisation, employees are even more in the dark, the research finds. A quarter (25%) of office workers say their employer hasn't communicated about security culture at all and more than two in five (43%) office workers have never heard of the term security culture.
Only a third of office workers (34%) say that their employer has communicated about security culture, and only a quarter say they are clear on what it means and their role. How employees perceive their role is a critical factor in sustaining or endangering the security of the organisation, explains Jayne. It is imperative that employees are educated on securing not only their professional, but personal environments.
What they learn and how they incorporate into everyday behaviours and attitudes is then completely transferable into their personal lives and will protect their own data. When it comes to asking for help, of those office workers who have an IT team to ask, a third (34%) say they are reluctant to ask their IT team security-related questions.
One in five (18%) say it's a hassle, so they rarely ask their IT team for help if they have security related questions, while 13% fear the consequences and 13% are embarrassed/ feel stupid asking their IT team security related questions. Gen Z are most likely to be reluctant to ask IT security related questions (56%), compared to Millennials (35%), Gen X (35%) and Baby Boomers (11%).
Overall, KnowBe4 says, building a strong and positive security culture is an effective mechanism to influence users' behaviour and, thereby, reduce an organisation's risk and increase resilience.