As digitalization across industries increases and more digital assets connect to the Internet, the attack surface for cybercriminals and hackers dramatically increases. The increase in security breaches the past decade has largely been attributed to people, not technology. Weak organizational measures mean that processes are not being properly implemented and employees are being social engineered into giving away security credentials and confidential information.
A holistic cybersecurity strategy that implements controls for people, process and technology successfully is the key to managing risk. Security culture is the missing piece, needed to bridge the gap between technology on one side, and people and process on the other. In the 2018 Security Culture Report, published today, CLTRe analyzes the security culture scores of over 20,000 employees, from 4 industry sectors and speaking 7 languages, from over 2 years to understand differences in how people understand, relate to and use security within organizations.
The report, subtitled ‘Measure to Improve’, demonstrates the need to measure security culture across the full organization in order to pinpoint actual areas for improvement. In particular, the report covers three main areas:
- Industry benchmarking
- Language comparison
- Changes in security culture
Charts showing the Industry Benchmark data for 4 sectors across each cultural dimension, taken from the 2018 Security Culture Report by CLTRe.
In addition to Finance and Real Estate, which were included in last year’s report, this year’s report (SCR 2018) sees the introduction of two new sectors: Retail & Wholesale Trade and Information, Communication & Technology.
One of the major findings from the benchmark analysis is the large differences between the industry sectors that are evident when comparing the average scores of each sector by dimension. Overall, the Finance sector scores better than in other sectors, however we see above-average scores in the Retail and Wholesale Trade sector for the Attitudes and Compliance dimensions.
Another significant finding is that the Real Estate sector continues to demonstrate poor scores across all dimensions, giving it the worst security culture of all sectors covered by the 2018 report.
Click here to read more about the SCR 2018 industry findings.
In the SCR 2018, we also take a look at the differences in the dataset by spoken languages. This report looks at Danish, Dutch, English (UK & US), Finnish, Norwegian, Polish and Swedish across each of the seven security culture dimensions: attitudes, behaviors, cognition, communication, compliance, norms and responsibilities. As expected, our findings show large differences in security culture across languages.
Language is an important aspect of culture, shaping the way we see the world and influencing our perception of risk. Many companies (multinationals in particular) seek to identify and manage the cultural differences affecting organizational security in order to better control and manage that risk. By measuring how security culture differs between site locations and from language to language, these companies are able to identify areas for improvement and track how efforts to influence security culture are affecting change.
For more details on the findings from our language comparison, check out our post on Comparing Security Culture by Language.
Changes in Security Culture
Being able to measure change in security culture is crucial to document the effectiveness of organizational cybersecurity measures taken to protect the organization and its data, against cyber threats and security breaches. Security culture is constantly changing, as is seen in the time-based comparison, where samples are compared over two years.
All the organizations included in the security culture change analysis were subject to similar security awareness training. The report finds:
- Best in class, the Finance sector continues to improve. Fund Management and Insurance (Finance sub-sectors) make the largest year-on-year improvements overall.
- Security culture in the Real Estate sector worsened between 2016 and 2017 by 2 points, pointing to a need for more effective security culture programs.
Recommendations include creating security culture programs that are better tailored towards the challenges faced by each industry and the unique needs of its employees.
Click here for more detailed analysis on the changes in security culture over time.