Organizations’ IT and cybersecurity professionals are struggling to spread security awareness and build security into their workplace culture, with a shocking percentage of employees responding to a recent study that they are simply unaware of cybersecurity issues and don’t find security awareness training effective.
According to a recent report from cloud email security software provider Tessian, nearly one-third (30%) of employees at any given organization do not think they are personally responsible for maintaining their company’s cybersecurity posture, and just 39% of employees say they are very likely to report a security incident.
When asked why they wouldn’t report incidents, 42% say they wouldn’t know how if they had caused an incident in the first place, and 25% said they just don’t care enough about cybersecurity to mention it, according to Tessian’s research, a survey of over 2,000 employees in the U.S. and U.K. That, of course, makes the job of IT and security teams even more time-consuming and challenging.
However, nearly all (99%) IT and security leaders surveyed as part of the report say a strong security culture is important to maintain a strong security posture.
Kim Burton, head of trust and compliance at Tessian, said everyone in an organization needs to understand how their work helps keep their coworkers and company secure.
“To get people better engaged with the security needs of the business, education should be specific and actionable to an individual’s work. It is the security teams’ responsibility to create a culture of empathy and care, and they should back up their education with tools and procedures that make secure practices easy to integrate into people’s everyday workflows,” Burton said in a statement. “Secure practices should be seen as part of productivity. When people can trust security teams have their best interest at heart, they can create true partnerships that strengthen security culture.”
Security awareness training shortfalls
Technology professionals rate their organization’s security an 8 out of 10 on average, but about 75% of those organizations have had a security incident in the last 12 months, suggesting that security awareness training isn’t going far enough.
About half of security leaders say awareness training is one of the most important factors in building a strong security posture, but just 28% of employees say security awareness training is engaging, and only 36% say they pay full attention during such training.
Those employees who are engaged might not even find the security awareness training effective, as just half say it’s helpful, and another half has had a bad experience with a phishing simulation.
Tessians’ report also highlights a disconnect when it comes to reporting security risks, as 80% of security leaders believe robust feedback loops are in place to report incidents, but fewer than half of employees feel the same way. That suggests that security teams have lower visibility into security risks than they think.
Interestingly, the report found that the youngest generation (18-24 years old) is almost three times as likely to have a negative experience with a phishing simulation compared to those 55 years and older. Those older employees are also four times more likely to have a clear understanding of their organization’s security policies compared to their younger colleagues, and are also five times more likely to follow those rules.