For many years, “people” have often been labelled as the barrier to cybersecurity. However, this generalization is an unfair statement to make. Whenever the concept of cybersecurity comes up in the workplace, many employees will believe cybersecurity is a technology issue and not something they should care about. Another assumption is that the IT team will handle the problem. This assumption leads to potentially insecure behaviors and this needs addressing to keep the entire organization safe, reduce the risk footprint and protect sensitive data. It’s well documented that data is regarded as the lifeblood of a company. However, because the consumption of sensitive data is on the rise, this increase is in tandem with the number of cyberattacks and breaches we are seeing.
Lead security awareness advocate at KnowBe4.
The current state of cybersecurity
Statistics show that the number of data breaches came to almost 3000, with over 8 billion records breached in 2023. This resulted in the global average cost of a data breach reaching a record high of $4.45 million. However, worldwide end-user spending on security and risk management is projected to total $215 billion in 2024, an increase of 14.3% from last year.
Additionally, the 2024 Verizon Data Breach Report revealed that 68% of breaches, whether they include a third party or not, involve a non-malicious human element, which refers to a person making an error or falling prey to a social engineering attack. This stat is rather telling because it reinforces the fact that even if you have the best security technology in the market, there are no guarantees an incident won’t still happen when humans are involved. For this reason, efforts should be made to focus on improving the human aspect of security to promote secure behaviors amongst employees.
Security culture and its core elements
One of the key strategies for fostering secure practices within organizations is deliberately nurturing a strong security culture. This encompasses the collective beliefs, practices and interpersonal dynamics that shape security protocols. Achieving a robust security culture hinges on employees internalizing their roles and obligations to safeguard not just their professional domains, but also their realms. Prioritizing the enhancement of security culture enhances an organization's preparedness, empowering individuals to instinctively serve as a proactive defense mechanism.
To understand what elements influence security culture means knowing its seven core dimensions:
1. Attitude: This refers to the feelings and beliefs of employees towards security protocols and concerns.
2. Behavior: it pertains to the actions and activities of employees that impact the security of the organization, either directly or indirectly.
3. Cognition: This involves the understanding, knowledge, and awareness of security issues among employees.
4. Communication: It denotes the quality of communication channels used to discuss security events, foster a sense of belonging, and offer support for security-related matters and incident reporting.
5. Compliance: This dimension assesses employees’ familiarity with written security policies and the degree to which they adhere to them.
6. Norms: It refers to the awareness of and adherence to unwritten rules of conduct within the organization.
7. Responsibility: This dimension gauges how employees perceive their role in either upholding or compromising the security of the organization.
Security culture in Europe
Organizations prioritizing the establishment and upkeep of a security culture will encourage notably heightened security awareness behaviors among their employees. Examining this further, research has shown that organizations in Europe have a good understanding of security culture as both a process and a strategic measure. However, many have yet to take their first tactical steps toward achieving that goal. Those who have done so realize that shaping security behaviors is essential in developing a security culture. These organizations acknowledge that in a proactive security culture, employees have an inherent understanding that security behavior extends beyond participating in phishing simulations - the employees are intrinsically motivated to add to the security posture of their respective organizations.
Delving deeper, smaller European organisations score higher in security culture due to more effective personal communication, stronger community bonds and better support for security issues. This naturally leads to enhanced Cognition and Compliance, with improvements in communication channels posited as a key driver for better security policy understanding and proactive security behaviours that outperform global averages. Conducting an examination of which industries displayed the best security culture within Europe, it is certainly gaining traction among security experts within sectors like finance, banking and IT, which are all heavily digitized. Indeed, security awareness is no longer understood as a checkbox exercise for satisfying compliance requirements. It is increasingly seen as a strategic initiative to foster a security mindset in the organization.
Impact of EU regulations
When you factor there are 44 sovereign countries with a total of 746 million people, that is a large number of potential victims hackers can target with social engineering. Because of this, everyone must be part of the defense, particularly as EU legislation and regulation places more demands on businesses.
Firstly, GDPR had a global influence in prioritising individual interests in data-handling. Now, sector-specific regulations, like the Network and Information Security directive (NIS2), enforce strict cybersecurity standards, hold boards accountable for organisational cybersecurity and supply chain security. Next, the Digital Operational Resilience Act (DORA), which will be effective from January 2025 and targets financial institutions, mandates rapid cyber attack recovery and employee training. Additionally, the EU AI Act, scheduled for enforcement in 2025, categorizes AI risk and imposes substantial fines for non-compliance.
Successful cybersecurity governance requires unified strategies, standardized processes, clear accountability, and adequate resources, ensuring compliance isn’t merely a formality but a robust security framework.
Getting security culture right
To get security culture right within your organization, focus on two or three high-risk behaviors for change - there are free security culture surveys to help gauge the current stance on this as a starting point. It's crucial that organizational goals, strategies and objectives are aligned with this mission and so develop a plan to influence behaviors by utilizing both formal mechanisms and informal leadership modelling. Ensure clear communication tailored to diverse preferences and secure executive endorsement to solidify support. Execute the plan with defined goals and timelines, maintaining open communication channels. Evaluate progress through subsequent surveys and share findings with leadership. Solicit input from stakeholders to refine strategies continuously. Stay proactive against evolving cyber threats, remaining flexible to adjust to react to business objectives accordingly.
To conclude, start the journey to building a strong security culture with a positive mindset and confidence because by taking these steps, it will be paving the way for a long-term change in your workforce’s awareness and preparedness to security.
We've featured the best identity theft protection.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
