Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Data Breach
  • Report: No Organization’s Security Culture Has Received ‘Excellent’ Score
  • Critical Vulnerability
  • Data Breach

Report: No Organization’s Security Culture Has Received ‘Excellent’ Score

5 years ago David Bisson
Report: No Organization’s Security Culture Has Received ‘Excellent’ Score

Security culture matters to executives, but these individuals are struggling to implement it. In a November 2019 study commissioned by KnowBe4, 94% of individuals with managerial duties or higher in security or risk management said that security culture was important for their organization’s success. Even so, Security Magazine shared that 92% of respondents were still experiencing security incidents and working on integrating their security strategies with their business strategies despite having embedded security culture in their organizations.

These findings beg several questions. Is it possible for organizations to evaluate the effectiveness of their security cultures? If so, are there larger trends that could help organizations in different industries strengthen their security cultures?

The Multiple Dimensions of a Security Culture

KnowBe4 arrived at an answer in its report, “Measure to Improve – Security Culture Report 2020.” In this study, the security awareness training provider collected data from 120,050 employees working at 1,107 organizations spread across 24 countries and 17 industry sectors. It did this for the purpose of developing an objective scientific method to evaluate and compare the relative components of an organization’s security culture.

For this task, KnowBe4 broke down its analysis into seven different components:

  • Attitudes: How employees feel towards the organization’s security protocols and issues.
  • Behaviors: Employees’ activities and actions that affect an organization’s security.
  • Cognition: The knowledge that employees have of security issues and activities.
  • Communication: The types of channels that the workforce can use to discuss and share support for security-related issues.
  • Compliance: The awareness that employees have of their organization’s security policies and how they follow them.
  • Norms: The extent to which employees are knowledgeable of and adhere to the organization’s unwritten codes of security conduct.
  • Responsibilities: How employees view their role in either supporting or undermining their organization’s security.

From there, KnowBe4 used a proprietary statistical algorithm to calculate the strength of each dimension on a scale of 0-100. Those scores broke down into the following ratings: Excellent (90-100), Good (80-89), Moderate (60-79), Poor to moderate (50-59), Poor (30-49) and Extremely poor (0-29). Using those scores, the company was able to compare the strengths and weaknesses of organizations’ security cultures across different industries.

The Small Gap Separating Strong and Poor Performers

Overall, KnowBe4 found that the best performers and poor performers weren’t all that far apart. Banking and Financial Services were the two sectors that had the strongest average security cultures at a score of 76. They were closely followed by Insurance and Technology at both 75. The security awareness training provider reasoned that these industries did well because of the regulations with which they must already comply for managing financial and security risks.

On the other end of the spectrum, the Education industry received the lowest score of 68. A close look at this sector revealed to KnowBe4 that Education organizations were still in the process of accepting their exposure to digital threats. The company noted that the outbreak of coronavirus 2019 (COVID-19) had had a significant impact on Education. As a result, it reasoned that organizations in this sector might improve their security cultures going into 2021.

Transportation and Energy & Utilities didn’t do much better at 70 and 71, respectively. Regarding the former, organizations in Transportation faced challenges as they advanced their digital transformation by bringing new devices into their environments. Kai Roer, managing director, CLTRe AS – a KnowBe4 Company, noted that COVID-19 also had had an effect:

Transportation of goods has demonstrated its importance in these times of Covid. The abruption of delivery services has led to breakdown of food distributions, as well as interruptions in production for other industries. Due to its criticality in today’s inter-connected societies, the Transportation sector really needs to up its game on security. If not, we risk that hackers start to target logistics operations and bring down companies, industries and potentially, countries.

Acknowledging these challenges, KnowBe4 recommended that Transportation organizations work with their employees to make sure they’re aware of relevant security policies. It also advised that they encourage security-related activities including training and education programs.

The Energy & Utilities sector found itself in a different place than the Transportation industry at the time of the study. Several federal and non-profit organizations espoused the mission of working with the sector to provide organizations with security training, risk detection and threat prevention tools for defending against nation-states and digital criminals. But these measures didn’t help the Energy & Utilities as a whole in gaining a score of higher than 71.

Roer was a bit perplexed by this finding:

The Energy sector is often considered critical infrastructure, and as such, one would expect the security in general to be quite good. Our research shows that the expectations are not matched by reality. One must ask why it is so that a sector like the energy sector is performing so poorly on security culture. Are they forgetting the human element of security? Do they think social engineering is not an issue for them?

A closer look revealed that the sector received a moderate performance in the Norms dimension with a core of 68. In response, KnowBe4 recommended that organizations invest in their ongoing security awareness training programs. Such education would also help Energy & Utilities organizations in the Cognition dimension, which was only 66 for this sector.

Inside Other Sectors’ Struggles with Security Culture

Education, Transportation and Energy & Utilities weren’t the only sectors in which organizations struggled with their security cultures. Government and Manufacturing also experienced some challenges. Organizations in the Government sector weren’t new to the need to manage risk across an increasingly complex infrastructure at the time of the study. Even so, this experience didn’t elevate the sector’s average security culture rating above 71.

Roer explained that organizations can improve their scores by focusing on their people:

Governments are tasked by a large number of obligations – from managing critical infrastructures, to protecting the country from outside (and inside…) threats, to improving the population’s education and culture. Such a wide variety of tasks will result in a lot of variation in their security needs and practices. Although we do see the variation being documented by the security culture scores across the sector, we are surprised to see the generally low score for the sector as a whole. It is time for the governmental sector to step up their game on fighting social engineering and building strong human firewalls.

Meanwhile, Manufacturing received the exact same security culture score as Government. But it faced different security challenges. In particular, many organizations in the industry were working to modify and globalize their supply chains as part of their digital transformations. This task involved adding greater connectivity to manufacturing platforms.

“This sector is not performing well when it comes to security culture,” Roer asserted. “Intellectual properties are a valuable target for the bad guys, and the best way to fight off the criminals is by upping the game on social engineering protection and building strong human factors. There are important areas for improvements: strengthening the Norms will help building better behaviors and thus help protect the sector.”

In particular, Roer recommended that manufacturing organizations focus on cultivating threat awareness within the organization as well as investing in ongoing training for employees.

The Central Takeaway

These findings reveal that all industries maintained a Moderate rating for their security cultures. At the organization level, 92% of analyzed organizations received a Moderate score; the remaining 7% earned a Good score. These findings indicate that organizations have invested at least somewhat into their security cultures. But in the absence of a single Excellent score, they also reveal that organizations could be doing much more.

Building a strong security culture starts with understanding how each individual can use their position to effect change. For greater insight into this process, download this Tripwire guide.

The post ” Report: No Organization’s Security Culture Has Received ‘Excellent’ Score” appeared first on TripWire

Source:TripWire – David Bisson

Tags: Coronavirus, COVID-19, Critical Severity, Low Severity, Moderate Severity, TripWire

Continue Reading

Previous Data Breaches Exposes Vets, COVID-19 Patients
Next The Biggest Cyberattacks of 2020…so far

More Stories

  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access

3 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware

3 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

Ex-Google Engineer Convicted for Stealing 2,000 AI Trade Secrets for China Startup

3 days ago [email protected] (The Hacker News)

Recent Posts

  • Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists
  • Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms
  • CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms
  • Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access
  • China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT