ITWeb, in partnership with KnowBe4, conducted a cybersecurity culture survey earlier this year.
The objective was to discover how South African organisations are prioritising human risk, how they currently manage and measure their security culture as well as challenges and opportunities in running security culture programmes and initiatives. The survey also aimed to identify trends or changes that have come about since the first survey on this topic ran in 2021.
A total of 252 valid responses were captured, with 58% of respondents being at executive or middle management level.
Anna Collard, SVP of Content Strategy and evangelist at KnowBe4 Africa, says, “One challenge in the security culture space is we use terms that mean different things to different people – for example: awareness, behaviour, culture, human risk management and human layer defence. There isn’t really a technical solution for building a security culture – it requires a mindset shift. To do so, we have to win hearts and minds, while influencing behaviours, with the ultimate goal of reducing risks aimed at humans and those which emanate from humans.”
The majority (82%) of the survey respondents said they assess or measure their cyber security culture. Of these, 37% have a mature method in place to measure security culture, while 45% have some measures in place, but these could be expanded on.
“In the 2022 survey, where 35% of respondents did not measure their security culture programmes, this shows good progress,” notes Collard.
Methods used to assess or measure cyber security culture include: looking at metrics such as phishing simulation percentages and incidents reported by end users (62%); using a standardised methodology and tool (49%); combining qualitative analysis (such as surveys) and quantitative data analytics (33%); and using external consultants (27%).
Almost half of respondents (46%) have noticed an increase in social engineering over the past year. 15% of respondents experienced a decline in social engineering, while 18% of respondents either did not know or this was not measurable. The majority (81%) of respondents currently run a security awareness and culture programme.
The top three improvements that respondents say could be made to their security awareness and culture programme are:
- Measure and assess its effectiveness (46%)
- Collect and analyse user behaviour data (45%)
- Add more simulation techniques (such as phishing simulation) (44%)
Most respondents (94%) say security culture is important to their operations. The majority of respondents (92%) also say security culture is important to their clients and customers.
Collard says, “It’s good to see that security culture is either important or very important to 94% of respondents in this year’s survey, and even more so to the customers or clients of those organisations. This shows that having a security culture is definitely a competitive advantage.”
When it comes to testing their security incident and crisis plans, half (44%) of the survey respondents do this annually. 37% use external consultants to facilitate simulations. 31% do a desk-based walkthrough with involved stakeholders. 18% say they don’t test their incident response plans and 9% don’t have an incident response plan. Asked to rate the effectiveness of their current security awareness and culture programme, 39% said it was effective, 35% said somewhat effective and 19% said very effective.
Collard concludes, “In a mature security culture people understand the importance of cyber security, as well as their own human vulnerabilities such as, for example, the fact that they can make mistakes when distracted and how that could impact the organisational and their own personal data security.”
Share