Security-Minded Employees Still Pose Risks

Despite their training and best intentions, even the most security-minded employees behave in ways that put the enterprise at risk, according to The Security Culture Report 2018.

The report, which covered eight industry sectors, surveyed more than 21,000 employees who spoke seven different languages. The results found that employee behaviors specific to cybersecurity are subpar across virtually all sectors in both Europe and the United States, which is true even for those employees who are considered to be security minded.

Norwegian software company CLTRe AS collected the data and found evidence that poor security behavior is not limited to any specific sector, though the real estate sector fared the worst when looking specifically at cybersecurity culture.

Given that financial institutions are so frequently targeted with attacks, it’s not surprising that the finance sector reportedly had a better security culture when compared to other sectors.

“We believe there are a number of reasons for these huge differences between the industry sectors. The finance sector, for example, has a long tradition of security and compliance, which has instilled a culture of security,” said Kai Roer, CEO of CLTRe.

“The trade sector, whilst also heavily regulated, typically sees many employees without higher education. Combined with high staff turnover in the industry, these factors influence its security culture, and so it is no surprise that they also impact security behaviors.”

For the first time, the study tracked changes and looked at two years' worth of data related to security cultures and found some industry sector improvements. In ranking the security culture across sectors and languages, the study used a scale of 0–100. Despite some sectors showing slight improvements, the real estate sector declined from a security culture score of 57 in 2016 to 55 in 2018.

“The change itself may not be dramatic, but the fact that it is negative suggests that this industry needs to review their current practices,” said Roer.

“It is too early to call it a trend,” explained Dr. Gregor Petric, chief science officer at CLTRe. “We need data-points over more years for that. What we do see is the ability to pick up changes by using our measurement instrument.”

What’s Hot on Infosecurity Magazine?