A new survey has revealed some glaring gaps in enterprise security ecosystem in the new normal. Even when large majority of security leaders believe that they have been successful in inculcating a strong ‘security culture’ in their organization, there appears to be a growing disparity in how employees experience that culture.
The recent research conducted by email security company Tessian reveals that a significant percentage of employees are not engaged in their organizations’ cybersecurity efforts and don’t understand their role in keeping their company secure. Nearly one in three (30%) employees do not think they personally play a role in maintaining their company’s cybersecurity posture.
This is even though security teams, on average, rate their company’s security culture 8 out of 10. The survey indicates that the strong security culture, as perceived by IT and security leaders, does not guarantee fewer security incidents, which is evidenced by the alarming number of security incidents reported. In fact, 3 out of 4 organizations in the survey say they experienced a security incident in the last 12 month. And a significant portion of these breaches reported involved human error – such as employee downloading data on a personal storage device and employee falling for phishing attack.
This widening gap, according to Tessian, is the result of employee disengagement across the board. And security leaders are not acknowledging this gap. In fact, when asked what has the most influence over a positive security culture, security leaders chose technology and training over engaged employees, communication channels, and senior exec buy-in.
This seems to be the fundamental problem that leads cybersecurity programs that are largely ineffective. Drawing out comprehensive programs without employee engagement isn’t helping the cause. Imagine this: 36% employees find security awareness programs out-right boring. Worst still, there is a sharp divide between what security teams think they’re providing, and what employees are actually absorbing – 80% of security leaders said there’s a feedback loop for employees to report security incidents, still nearly half of employees don’t even know who to report security incidents to.
In many cases, employees are not just disengaged, they have even had negative experiences, with 1 in 2 reporting negative experience with a phishing simulation. Often authoritarian approaches and virtual programs turn out to be futile as opposed to positive reinforcement.
The need of the hour is to ensure that all employees take an active role in a company’s cybersec measures. As the survey rightly states: “cybersecurity is a team sport. The burden sits with everyone, across all levels and departments, from the Chief Finance Officer to a recently hired sales engineer.”
The report also recommends that building touch points throughout the employee lifecycle, clear communication, and technology that helps build self-efficacy are all good places to start to drive employee engagement. Security teams should play an active role in not just employee onboarding, but in offboarding as well – 45% of IT leaders said that incidents of data exfiltration have increased in the last year, as people took data when they left their jobs.
“To get people better engaged with the security needs of the business, education should be specific and actionable to an individual’s work. It is the security teams’ responsibility to create a culture of empathy and care, and they should back up their education with tools and procedures that make secure practices easy to integrate into people’s everyday workflows. Secure practices should be seen as part of productivity. When people can trust security teams have their best interest at heart, they can create true partnerships that strengthen security culture,” said Kim Burton, Head of Trust and Compliance at Tessian.
[…] “CISOs are taking a closer look at whether their existing controls are aligned with their organization’s attack surface. Most organizations have invested in assets and perimeter-centric controls, which is important. What is equally important is to have controls around data. Security must shift from being threat-centric to being user and data-centricl” says Maheswaran. […]