It gets worse – only 39% say they’re ‘very likely’ to report a security incident
A startling new report indicates the disconnect between employees and their company’s cybersecurity efforts.
Nearly one in three (30%) employees don’t think they personally play a role in maintaining their company’s cybersecurity posture, according to new research from San Francisco-based email security company Tessian.
Furthermore, only 39% of employees say they’re “very likely” to report a security incident. When asked why, 42% of employees said they wouldn’t know if they had caused an incident in the first place, and 25% said they just don’t care enough about cybersecurity to mention it. Obviously, that makes investigation and remediation even more challenging and time-consuming for security teams.
Read more: Are you giving employees enough time off?
Virtually all IT and security leaders (99%) agreed that a strong security culture is important in maintaining a company’s cybersecurity posture. Yet, despite rating their organization’s security 8 out 10, on average, 75% of organizations experienced a security incident in the last 12 months.
“Everyone in an organization needs to understand how their work helps keep their coworkers and company secure,” Kim Burton, head of trust and compliance at Tessian, said in a press release. “To get people better engaged with the security needs of the business, education should be specific and actionable to an individual’s work.”
Nearly half (48%) of security leaders say training is one of the most important influences on building a positive security posture. But the reality is that employees aren’t engaged; just 28% of workers in the United States and United Kingdom say security awareness training is “engaging” and only 36% say they’re paying full attention. Of those who are, only half say it’s “helpful,” while another 50% have had a negative experience with a phishing simulation.
The report also reveals a disconnect when it comes to reporting security risks: 80% of security leaders believe “robust” feedback loops are in place to report incidents, but less than half of employees feel the same, suggesting clearer processes are needed so that security teams have greater visibility of risk in their organization.
“It’s the security teams’ responsibility to create a culture of empathy and care, and they should back up their education with tools and procedures that make secure practices easy to integrate into people’s everyday workflows,” Burton said. “Secure practices should be seen as part of productivity. When people can trust security teams have their best interest at heart, they can create true partnerships that strengthen security culture.”
The report also revealed generational differences when it comes to cybersecurity culture perceptions. The youngest generation (18-24) is almost three times as likely to say they've had a negative experience with phishing simulations when compared to the oldest generation (55+). In contrast, older employees are four times more likely to have a clear understanding of their company’s cybersecurity policies compared to their younger colleagues and are five times more likely to follow those policies.
Furthermore, younger employees are the least likely to see anything wrong with risky cybersecurity practices, such as reusing passwords, taking company data and opening attachments from unknown sources.