Business security has been at the forefront of many organisations' minds following high profile data breaches last year, but IT decision makers are still struggling to build a culture of security in their organisations, according to new research from KnowBe4.
According to the research, only one third of IT decision makers know what 'security culture' is, and think their organisation has a good security culture.
More than half (53%) of office workers say they have never heard of the term security culture (15% of IT decision makers say the same). Of the remaining 85% of IT decision makers who say they have heard of 'security culture' before, only 7 in 10 (73%) know what it means.
"Every organisation already has a security culture whether you like it or not," says Jacqueline Jayne, Security Awareness Advocate APAC at KnowBe4.
"The challenge is to understand it as it stands today, define what you want it to be and go about making that happen," she says.
Worryingly, 6% of IT decision makers say they know what 'security culture' is, but don't believe their organisation needs it. A further 14a5 say they know what it is, and that their organisation needs to have one place, but don't know how to achieve it, and 14% say they don't have one in place, while four percent think it is someone else's responsibility.
What is security culture?
When it comes to defining security culture, those IT decision makers who have heard the term, most commonly say that, to them, 'security culture' means recognition that security is a shared responsibility across the organisation (71%) and having an awareness and understanding of security issues (79%). Three in five (57%) believe it means compliance with security policies, almost half (47%) think it means that security is embedded into the organisations culture, and more than a third (37%) say it has something to do with establishing formal groups of people that could help influence security decisions.
"It is important to note that the phrase security culture is beginning to find its way into the lexicon of IT leaders. But there is a problem – IT decision makers have vastly different definitions of security culture, which makes it almost impossible to measure and work towards," says Jayne.
"At KnowBe4, we define security culture as the ideas, customs and social behaviours that influence an organisations security. A common definition makes it possible to discuss the same thing, in the same way. We all know that if you do not measure something, that something does not exist."
Employees and security culture
When it comes to security across the broader organisation, employees are even more in the dark. Three in ten (30%) office workers say their employer hasn't communicated about security culture at all and more than half (53%) of office workers have never heard of the term security culture. Only a third of office workers (30%) say that their employer has communicated about security culture, and less than a quarter (23%) say they are clear on what it means and their role.
"How employees perceive their role is a critical factor in sustaining or endangering the security of the organisation," says Jayne.
"It is imperative that employees are educated on securing not only their professional, but personal environments. What they learn and how they incorporate into everyday behaviours and attitudes is then completely transferable into their personal lives and will protect their own data."
When it comes to asking for help, of those office workers who have an IT team to ask, almost a quarter (23%) say they are reluctant to ask their IT team security-related questions. One in six (17%) say it's a hassle, so they rarely ask their IT team for help if they have security related questions, while five percent fear the consequences and eight percent are embarrassed/ feel stupid asking their IT team security related questions.
Gen Z are most likely to be reluctant to ask IT security related questions (21%), compared to Millennials (7%), Gen X (5%) and Baby Boomers (7%).
"Building a strong and positive security culture is an effective mechanism to influence your users behaviour and, thereby, reduce your organisations risk and increase resilience."