As digitalization across industries increases and more digital assets connect to the Internet, the attack surface for cybercriminals and hackers dramatically increases. The increase in security breaches the past decade has largely been attributed to reasons other than technology, most pointing towards weak organizational measures such as processes not being updated and employees being social engineered into giving away security credentials and confidential information.
Security culture is the missing piece in the puzzle, bridging the gap between technology on the one side, and people and process on the other. A holistic cybersecurity strategy that implements controls for people, process and technology successfully is the key to managing risk.
In this year’s security culture report, subtitled ‘Measure to Improve’ and published today, CLTRe analyzes the security culture scores of over 20,000 employees, speaking 7 languages and from 4 industry sectors, over 2 years to understand the differences in how people understand, relate to and use security within organizations. The differences found demonstrate the need to measure security culture across the full organization in order to pinpoint actual areas for improvement.
The 2018 Security Culture Report (SCR 2018) sees the introduction of two new industry sectors, Retail & Wholesale Trade and Information & Communication, in addition to Finance and Real Estate which were included in last year’s report. One of the major findings of this report are large differences evident when we compare the average scores of each sector by dimension:
As one of the first sectors to digitalize their operations and held to strong regulatory demands, it may not be a huge surprise that security culture in the Finance sector is generally better than in other sectors. However, a major revelation is the above-average scores in the Retail and Wholesale Trade sector for the Attitudes and Compliance dimensions.
Another significant finding is that the Real Estate sector continues to demonstrate poor scores across all dimensions, giving it the worst security culture of all sectors covered by the 2018 report.
In the SCR 2018, we also take a look at the differences in the dataset by spoken languages. This report looks at Danish, Dutch, English (UK & US), Finnish, Norwegian, Polish and Swedish across each of the seven security culture dimensions: attitudes, behaviors, cognition, communication, compliance, norms and responsibilities. As expected, our findings show large differences in security culture across languages.
Language is an important aspect of culture, shaping the way we see the world and influencing our perception of risk. Many companies (multinationals in particular) seek to identify and manage the cultural differences affecting organizational security in order to better control and manage that risk. By measuring how security culture differs between site locations and from language to language, these companies are able to identify areas for improvement and track how efforts to influence security culture are affecting change.
For more details on the findings from our language comparison, please download the full report or read this related post.
Changes in Security Culture
Chart showing security culture change in five industries between 2016 and 2017.
Being able to measure change in security culture is crucial to document the effectiveness of organizational cybersecurity measures taken to protect the organization and its data, against cyber threats and security breaches. Security culture is constantly changing, as is seen in the time-based comparison, where samples are compared over two years, the report finds:
Already best in class, the Finance sector continues to improve, with Fund Management and Insurance (Finance sub-sectors) making the largest year-on-year improvements.
Security culture in the Real Estate sector worsened between 2016 and 2017 by 2 points, pointing to a need for more effective security culture programs, i.e. ones that are better tailored towards the challenges faced by that industry and the unique needs of its employees.
All the organizations included in the security culture change analysis were subject to similar security awareness training.
For more details on the changes in security culture over time, please download the full report or read this related post.