But who is bringing up the rear?…
The banking and financial services sectors have the highest security culture, but there’s not an industry out there that has what can be considered a ‘good’ security culture.
At least that’s according to KnowBe4’s fourth annual security culture report, which draws on surveys from 320,000 employees globally, including nearly 7,000 across Australia and New Zealand.
The company, which is backed by private-equity firm KKR and has infamous ex-hacker Kevin Mitnick – once one of the FBI’s most wanted, achieving infamy for his hacking of major corporations including Digital Equipment Corp, Sun Microsystems and Motorola, and his 1995 arrest and imprisonment – as its ‘chief hacking officer’, states outright that even those companies in the best performer category shouldn’t be too quick to congratulate themselves.
“It is surprising that more organisations are not succeeding in this area.”
“A score of 76, as seen by banking and financial services, is well below a Good security culture,” the report says. To rank as ‘Good’ on the KnowBe4 score card a company has to achieve a rating of 80.
The report doesn’t just rank industries for their security culture. It also breaks the results out to regions, with Australia and New Zealand, as part of ‘Oceania’ sitting on a security culture score of 72 – just behind top ranked North America and Europe, both scoring 73. That local score is lifted by New Zealand’s 73. Australia meanwhile, comes in at just 71. Cyprus leaves the rest of us in its dust, with a score of 82 – the only country to make it into the 80s. Malaysia’s 62 puts it at the bottom for security culture.
KnowBe4 does, of course, have a vested interest in having companies concerned about their security. Its platform enables organisations to simulate phishing attacks to check how prepared, and aware, employees and the company itself are.
Nonetheless, The Security Culture Report 2021: A Global Security Culture Perspective During a Pandemic does draw on a substantial body of data.
It makes for somewhat uncomfortable reading suggesting there’s still a lot of work to be done to develop the ‘security culture’ – defined as the ideas, customs and social behaviours of an organisation which influence their security – that can provide the foundation for security behaviour to protect companies.
That’s despite security culture being flagged by 94 percent of the security leaders surveyed as the most important element in their security strategy.
KnowBe4 says organisations with a poor security culture have employees who are 52 times more likely to share security credentials than those with a good security culture.
“Detailed analysis shows that the majority of all analysed organisations managed to develop a mediocre or moderate security culture, while only a small portion of organisations have a good security culture.
“Alarmingly, a few organisations are scoring in the Poor bracket and no organisations have reached an Excellent security culture score yet,” the report says.
“Our research shows that moving from one security culture class to another is directly correlated to risk.
“By improving from the current class of Moderate to the next class of Good security culture, these industries [banking and finance] will see a reduction by eight times of employees sharing credentials.”
While banking and financial services may be leading the way, education is bringing up the rear as one of the worst performers – despite a ‘significant improvement’ moving up two points to 70 this year, something KnowBe4 attributes to the move to virtual settings and the associated technology and training changes.
Joining education at the bottom is construction, and, unlike education, its ranking took a hit this year, down one point to 70 – the starting point for the ‘moderate’ category. Government, energy and utilities, manufacturing, retail and wholesale and transportation follow on 71.
Technology, insurance and consultancy are not far behind financial services and banking, with 75, followed by healthcare and pharmaceuticals and business services on 74.
The legal industry follows on 73 – one of the few to move upwards this year, jumping two points – again, that’s a move attributed largely to the move online.
As to what’s behind a poor security culture, the report found 20 percent of the more than 200,000 employees surveyed felt they didn’t receive enough training on information security, and a whopping 43 percent said they wouldn’t notice if their computer was compromised.
That lack of training information could result in poor understanding about when incidents need to be reported and when security standards need to be adhered too.
“Given the many tools, resources and strategies created to tackle this specific issue, it is surprising that more organisations are not succeeding in this area,” the report says. “Organisations can leverage online training and ramp up internal employee engagement campaigns to address this issue, giving every employee access to the security information they need.”
The lack of confidence about being able to recognise whether a device has been hacked plays into cybersecurity threats, including the likes of the highly popular – and proliferating – Ryuk ransomware, remaining undetected for months. Ryuk accounted for roughly a third of all ransomware attacks in Q3 of 2020.
The abundance of passwords required by employees and a lack of password management solutions being used, is also causing issues.
“In our research, we found that 77 percent of the employees do not use any means to securely store their passwords. The fact that most employees are required to have a large number of logins, while they are not able to save their passwords in a secure location, suggests that most employees reuse passwords.
There’s another factor at play too, with the report suggesting employees often don’t know who to contact in the case of a security incident, or find it difficult to reach the security experts.
“When organisations fail to provide their employees with adequate processes and access to the specialists, a higher number of security breaches are to be expected.”
The report comes as KnowBe4 gears up to IPO, with US Securities and Exchange Commission filings showing the company plans to sell 11.8 million shares at $16-$18 each – giving the company a valuation of around US$3 billion.