While cyber leaders overwhelmingly believe their organisations have a strong security culture, new figures compiled by email security specialist Tessian have revealed that they may be deluding themselves, exposing an alarming disconnect between security pros and the rest of the business.
With three-quarters of UK and US organisations having experienced some kind of cyber incident in the past year, a significant proportion of employees seem to regard training exercises as something to be endured, rather than engaged with.
The report, How security cultures impact employee behaviour, found that while 85% of employees participate in security awareness or training programmes, 64% don’t pay full attention and 36% consider their organisation’s security training boring.
Overall, the report found a general consensus among security leaders over what goes into making up a strong security culture, but with incident volumes remaining stubbornly high, Tessian said it was clear that those at the top had a lot more work to do.
“Everyone in an organisation needs to understand how their work helps keep their co-workers and company secure,” said Kim Burton, head of trust and compliance at Tessian. “To get people better engaged with the security needs of the business, education should be specific and actionable to an individual’s work.
“It is the security team’s responsibility to create a culture of empathy and care, and they should back up their education with tools and procedures that make secure practices easy to integrate into people’s everyday workflows.
“Secure practices should be seen as part of productivity. When people can trust that security teams have their best interest at heart, they can create true partnerships that strengthen security culture.”
The report showed how training exercises – which in many firms comprise little more than “home-brewed” PowerPoint presentations cooked up by legal and compliance experts who have no real understanding of how people engage with educational materials – are failing to impact employees across the board.
For example, 30% of respondents said they didn’t think they had a personal role to play in keeping their company secure, while 45% did not know how to, or who to, report a security incident, and only one in three said they were satisfied with their IT or security team’s communications.
Meanwhile, over half of respondents said they saw nothing inherently risky in actions such as downloading apps to work devices, sending sensitive data to their own personal email accounts, sharing passwords internally, or connecting to open or public Wi-Fi networks on work devices.
And even when it came to clearly risky actions, such as clicking on links in emails from unknown sources or opening unsolicited attachments, leaving work devices unlocked and unattended and reusing passwords, well over 40% of respondents said they didn’t see a problem.
Stop scaring people
A big source of disconnection seemed to be a tendency among leadership to use security training to spread fear and uncertainty as a motivator.
For example, half of respondents to Tessian’s study claimed to have had a “negative experience” with a phishing simulation, as evidenced by the 2021 story of a phishing test at West Midlands Trains which went disastrously wrong.
The test appeared to be an email from company leadership detailing a thank-you bonus for employees who had worked through the pandemic, and many people clicked on the link, only to find themselves being ticked off for being insufficiently security-conscious. Union officials described the stunt as “crass and reprehensible”.
According to Karen Renaud, chancellor’s fellow at the University of Strathclyde, and Marc Dupuis, assistant professor at the University of Washington Bothell, such tactics can “cripple employee decision-making, creative thought processes, and the speed and agility that businesses need to operate in today’s demanding world”.
Tessian said there were several things security leaders should be doing to engage employees better with cyber security procedures.
For example, security leaders need to play more of an active role at key touchpoints during an employee’s “journey” with the organisation, such as onboarding, role or office changes, and offboarding. Tessian said onboarding new hires represents a great opportunity to capture people’s imagination before they become cynical and jaded, while more thoughtful and comprehensive offboarding processes can help prevent critical data going missing when someone leaves.
Another thing every security leader should be doing as a matter of course is to establish clear and regular lines of communication across the entire organisation, paying close attention to how much information they share, who it comes from, via what channels, and how frequently.
Tessian offered four key pointers on how to do this effectively:
Cut out jargon, technical terms and acronyms, and provide only “need-to-know” information.
Tailor communications to specific people, teams and departments. Someone in marketing, for example, will not have the same concerns or see the same threats as someone in HR.
Identify one person to deliver updates and be a consistent point of contact for everyone.
Develop a consistent format and cadence for security communications.
Finally, it said, there are technological solutions which, sensibly deployed, can help establish cyber “self-efficacy” within the organisation.
Tessian’s report was compiled using data gathered by OnePoll, which surveyed 500 IT security leaders and 2,000 working professionals in the UK and the US.