Subscribe

ITWeb, in partnership with KnowBe4, conducted a survey on cyber security culture during December 2021/January 2022.

The objective of the survey is to gain insight into the state (or the perception thereof) of cyber security culture amongst South African organisations.

A total of 182 responses were captured, with 56% being at executive or middle management level. While 40% of respondents come from the IT sector, the remaining 60% come from a wide range of major industry sectors, with finance, government and telecoms being the best represented.

Here are some of the key findings:

1. Most respondents (66%) say they currently assess or measure their cyber security culture.

2. Methods used by those that measure their cyber security culture include:

  • Metrics such as phishing simulation percentages and incidents reported by end users
  • A standardized methodology and tool
  • Combining qualitative analysis (such as surveys) and quantitative data analytics
  • Using (external) consultants

3. Asked whether they’d experienced an increase in social engineering over the past 12 months, a quarter of respondents (25%) replied that they’d experienced the same amount of social engineering as the year before. A further 25% said they’d seen a slight increase (<10%), 20% said they’d seen a dramatic increase (>10%), while 11% said they’d seen a decline in social engineering over the past year. 19% were unable to measure this.

4. Three quarters of survey respondents (72%) run a security awareness and culture programme.

5. Asked to list improvements that could be made to their security awareness and culture programme, respondents prioritised the following:

  • Collect and analyze user behavior data
  • Measure and assess its effectiveness
  • Add more simulation techniques (such as phishing simulations)
  • Improve effectiveness of content & delivery (i.e. more gamification, better tailored to audience)
  • Add in disciplinary actions (i.e. warnings for users not participating or failing phishing tests multiple times)
  • Add in more rewards

6. 40% of respondents reported an increase in users reporting scams on chat applications such as WhatsApp, Signal, Telegram and others.

7. When asked whether their organisation would benefit from cyber security training content specifically designed for mobile use in low bandwidth situations, 34% of respondents said this would be hugely beneficial; 51% said content needed to be functional regardless of device; and 15% said they didn’t allow mobile training internally.

8. Almost all of the survey respondents (89%) agreed that security culture was important to their operations. The same percentage (89%) agreed that security culture was important to their customers and clients.

Share