KnowBe4 defines security culture as the ideas, customs and social behaviours of an organisation that influence its security. It encompasses seven critical dimensions: attitude, behaviour, cognition, communication, compliance, norms and responsibilities.
Anna Collard, SVP Content Strategy and Evangelist at KnowBe4 Africa, says, “It’s encouraging that most respondents (66%) currently assess or measure their cyber security culture. In fact, security awareness and culture programmes should be at the top of everyone’s project list for this year.”
The companies that measure their cyber security culture use various methods. Some 69% of respondents said they used metrics such as phishing simulation percentages and incidents reported by end users. Half (51%) of responding businesses said they used a standardised methodology and tool, while 43% said they combined qualitative analysis (such as surveys) and quantitative data analytics. A quarter of the respondents (26%) used external consultants.
Social engineering is also on the rise. A quarter of the survey’s respondents said they’d experienced an increase in social engineering over the past 12 months, while another 25% replied that they’d experienced the same amount of social engineering as the year before. Eleven percent said they’d seen a decline in social engineering over the past year and 19% were unable to measure this.
“Findings from other surveys show (i.e. KnowBe4 Africa Cyber Security Awareness report) that a large proportion of people will remain working from home going forward, and will therefore be vulnerable to social engineering attempts. At the same time, cyber extortion crime as well as social engineering (such as business email compromise scams) are expected to rise in 2022,” explains Collard.
It’s encouraging that most respondents (66%) currently assess or measure their cyber security culture.
Just under half (41%) of respondents run a security awareness programme but feel they should be doing more, 31% provide awareness and training targeted at different audiences and combine this with frequent phishing simulations and 28% are currently not running any security awareness and culture programmes.
Asked to list improvements that could be made to their security awareness and culture programme, respondents prioritised the following:
- Collect and analyze user behaviour data (56%)
- Measure and assess its effectiveness (52%)
- Add more simulation techniques (such as phishing simulations) (45%)
- Improve effectiveness of content & delivery (i.e. more gamification, better tailored to audience) (43%)
- Add in disciplinary actions (i.e. warnings for users not participating or failing phishing tests multiple times) (32%)
- Add in more rewards (25%)
Almost half (40%) of respondents reported an increase in users reporting scams on chat applications such as WhatsApp, Signal, Telegram and others.
When asked whether their organisation would benefit from cyber security training content specifically designed for mobile use in low bandwidth situations, 34% of respondents said this would be hugely beneficial; 51% said content needed to be functional regardless of device; and 15% said they didn’t allow mobile training internally.
Almost all of the survey respondents (89%) agreed that security culture was important to their operations. The same percentage (89%) agreed that security culture was important to their customers and clients. Collard says, “The survey results show that security culture has become an important aspect of cybersecurity operations with nearly 90% of respondents agreeing with the above.”
She concludes by advising businesses to prioritise security awareness and culture programmes for 2022.
Share