Report: No Organization’s Security Culture Has Received ‘Excellent’ Score

Image

Security culture matters to executives, but these individuals are struggling to implement it. In a November 2019 study commissioned by KnowBe4, 94% of individuals with managerial duties or higher in security or risk management said that security culture was important for their organization’s success. Even so, Security Magazine shared that 92% of respondents were still experiencing security incidents and working on integrating their security strategies with their business strategies despite having embedded security culture in their organizations. These findings beg several questions. Is it possible for organizations to evaluate the effectiveness of their security cultures? If so, are there larger trends that could help organizations in different industries strengthen their security cultures?

The Multiple Dimensions of a Security Culture

KnowBe4 arrived at an answer in its report, “Measure to Improve – Security Culture Report 2020.” In this study, the security awareness training provider collected data from 120,050 employees working at 1,107 organizations spread across 24 countries and 17 industry sectors. It did this for the purpose of developing an objective scientific method to evaluate and compare the relative components of an organization’s security culture. For this task, KnowBe4 broke down its analysis into seven different components:

• Attitudes: How employees feel towards the organization’s security protocols and issues.
• Behaviors: Employees’ activities and actions that affect an organization’s security.
• Cognition: The knowledge that employees have of security issues and activities.
• Communication: The types of channels that the workforce can use to discuss and share support for security-related issues.
• Compliance: The awareness that employees have of their organization’s security policies and how they follow them.
• Norms: The extent to which employees are knowledgeable of and adhere to the organization’s unwritten codes of security conduct.
• Responsibilities: How employees view their role in either supporting or undermining their organization’s security.

From there, KnowBe4 used a proprietary statistical algorithm to calculate the strength of each dimension on a scale of 0-100. Those scores broke down into the following ratings: Excellent (90-100), Good (80-89), Moderate (60-79), Poor to moderate (50-59), Poor (30-49) and Extremely poor (0-29). Using those scores, the company was able to compare the strengths and weaknesses of organizations’ security cultures across different industries.

The Small Gap Separating Strong and Poor Performers

Overall, KnowBe4 found that the best performers and poor performers weren’t all that far apart. Banking and Financial Services were the two sectors that had the strongest average security cultures at a score of 76. They were closely followed by Insurance and Technology at both 75. The security awareness training provider reasoned that these industries did well because of the regulations with which they must already comply for managing financial and security risks. On the other end of the spectrum, the Education industry received the lowest score of 68. A close look at this sector revealed to KnowBe4 that Education organizations were still in the process of accepting their exposure to digital threats. The company noted that the outbreak of coronavirus 2019 (COVID-19) had had a significant impact on Education. As a result, it reasoned that organizations in this sector might improve their security cultures going into 2021. Transportation and Energy & Utilities didn’t do much better at 70 and 71, respectively. Regarding the former, organizations in Transportation faced challenges as they advanced their digital transformation by bringing new devices into their environments. Kai Roer, managing director, CLTRe AS – a KnowBe4 Company, noted that COVID-19 also had had an effect:

Transportation of goods has demonstrated its importance in these times of Covid. The abruption of delivery services has led to breakdown of food distributions, as well as interruptions in production for other industries. Due to its criticality in today's inter-connected societies, the Transportation sector really needs to up its game on security. If not, we risk that hackers start to target logistics operations and bring down companies, industries and potentially, countries.

Acknowledging these challenges, KnowBe4 recommended that Transportation organizations work with their employees to make sure they’re aware of relevant security policies. It also advised that they encourage security-related activities including training and education programs. The Energy & Utilities sector found itself in a different place than the Transportation industry at the time of the study. Several federal and non-profit organizations espoused the mission of working with the sector to provide organizations with security training, risk detection and threat prevention tools for defending against nation-states and digital criminals. But these measures didn’t help the Energy & Utilities as a whole in gaining a score of higher than 71. Roer was a bit perplexed by this finding:

The Energy sector is often considered critical infrastructure, and as such, one would expect the security in general to be quite good. Our research shows that the expectations are not matched by reality. One must ask why it is so that a sector like the energy sector is performing so poorly on security culture. Are they forgetting the human element of security? Do they think social engineering is not an issue for them?

A closer look revealed that the sector received a moderate performance in the Norms dimension with a score of 68. In response, KnowBe4 recommended that organizations invest in their ongoing security awareness training programs. Such education would also help Energy & Utilities organizations in the Cognition dimension, which was only 66 for this sector.

Inside Other Sectors’ Struggles with Security Culture

Education, Transportation and Energy & Utilities weren’t the only sectors in which organizations struggled with their security cultures. Government and Manufacturing also experienced some challenges. Organizations in the Government sector weren’t new to the need to manage risk across an increasingly complex infrastructure at the time of the study. Even so, this experience didn’t elevate the sector’s average security culture rating above 71. Roer explained that organizations can improve their scores by focusing on their people:

Governments are tasked by a large number of obligations - from managing critical infrastructures, to protecting the country from outside (and inside...) threats, to improving the population's education and culture. Such a wide variety of tasks will result in a lot of variation in their security needs and practices. Although we do see the variation being documented by the security culture scores across the sector, we are surprised to see the generally low score for the sector as a whole. It is time for the governmental sector to step up their game on fighting social engineering and building strong human firewalls.

Meanwhile, Manufacturing received the exact same security culture score as Government. But it faced different security challenges. In particular, many organizations in the industry were working to modify and globalize their supply chains as part of their digital transformations. This task involved adding greater connectivity to manufacturing platforms. “This sector is not performing well when it comes to security culture,” Roer asserted. “Intellectual properties are a valuable target for the bad guys, and the best way to fight off the criminals is by upping the game on social engineering protection and building strong human factors. There are important areas for improvements: strengthening the Norms will help to build better behaviors and thus help protect the sector.” In particular, Roer recommended that manufacturing organizations focus on cultivating threat awareness within the organization as well as investing in ongoing training for employees.

The Central Takeaway

These findings reveal that all industries maintained a Moderate rating for their security cultures. At the organization level, 92% of analyzed organizations received a Moderate score; the remaining 7% earned a Good score. These findings indicate that organizations have invested at least somewhat into their security cultures. But in the absence of a single Excellent score, they also reveal that organizations could be doing much more. Building a strong security culture starts with understanding how each individual can use their position to effect change. For greater insight into this process, download this Tripwire guide.