Data from Tessian reveals the disconnect between security leaders and employees when it comes to security cultures
July 26 2022 - New research from email security company Tessian reveals that a significant percentage of employees are not engaged in their organizations’ cybersecurity efforts and don’t understand their role in keeping their company secure.
According to the report, nearly one in three (30%) employees do not think they personally play a role in maintaining their company’s cybersecurity posture.
What’s more, only 39% of employees say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. When asked why, over two-fifths (42%) of employees said they wouldn’t know if they had caused an incident in the first place, and 25% say they just don’t care enough about cybersecurity to mention it.
Virtually all IT and security leaders surveyed by Tessian (99%) agreed that a strong security culture is important in maintaining a strong security posture. Yet, despite rating their organization’s security 8 out 10, on average, three-quarters of organizations experienced a security incident in the last 12 months.
The report suggests this could stem from a reliance on traditional training programs; 48% of security leaders say training is one the most important influences on building a positive security posture. But the reality is that employees aren’t engaged; just 28% of UK and US workers say security awareness training is engaging and only 36% say they’re paying full attention. Of those who are, only half say it’s helpful, while another 50% have had a negative experience with a phishing simulation. With recent headlines depicting how phishing simulations can go awry, negative experiences like these further alienate employees and decrease engagement.
The report also reveals a disconnect when it comes to reporting security risks. Eighty percent of security leaders believe robust feedback loops are in place to report incidents, but less than half of employees feel the same, suggesting clearer processes are needed so that security teams have greater visibility of risk in their organization.
The report also revealed generational differences when it comes to cybersecurity culture perceptions. The youngest generation (18- 24 year olds) is almost three times as likely to say they've had a negative experience with phishing simulations when compared to the oldest generation (55+). In contrast, older employees are four times more likely to have a clear understanding of their company’s cybersecurity policies compared to their younger colleagues, and are five times more likely to follow those policies.
When it comes to risky cybersecurity practices such as reusing passwords, taking company data and opening attachments from unknown sources, younger employees are the least likely to see anything wrong with these practices.
“Everyone in an organization needs to understand how their work helps keep their coworkers and company secure,” said Kim Burton, Head of Trust and Compliance at Tessian. “To get people better engaged with the security needs of the business, education should be specific and actionable to an individual’s work. It is the security teams’ responsibility to create a culture of empathy and care, and they should back up their education with tools and procedures that make secure practices easy to integrate into people’s everyday workflows. Secure practices should be seen as part of productivity. When people can trust security teams have their best interest at heart, they can create true partnerships that strengthen security culture.”
Read the full report here: Tessian Security Cultures Report 2022 https://www.tessian.com/resources/security-cultures-report-2022/
Tessian is committed to securing the human layer in the enterprise, by protecting all the digital interactions people need to get their jobs done - starting with email. Tessian is a leading cloud email security platform that intelligently protects organizations against advanced threats and data loss on email, while coaching people about security threats in-the-moment. Using machine learning and behavioral data science, Tessian automatically stops threats that evade legacy Secure Email Gateways, including advanced phishing attacks, business email compromise, accidental data loss and insider threats. Tessian’s intelligent approach not only strengthens email security but also builds smarter security cultures in the modern enterprise.
The company is backed by legendary investors such as March Capital, Sequoia, Accel and Balderton, and has been recognized as one of Fast Company’s Most Innovative Companies for 2022.
Head of Communications, Tessian