KnowBe4: All Industries Need to Improve Security Culture

A new report by KnowBe4 Research shows all industries need better a security culture to avoid being targeted by cybercriminals.

It’s the first “Security Culture Report” from KnowBe4’s new research arm. The company collected data from 120,050 employees in more than 1,100 organizations across 24 countries.

In all, it examined 17 industry sectors. The results reveal a large gap between the best performers and the poor performers.

The top performers were from banking, financial services and insurance. The worst were from education, transportation, and energy and utilities.

KnowBe4 research scored all industries according to seven dimensions: attitudes, behaviors, cognition, communication, compliance, norms and responsibilities.

Education Sector Disappoints

Perry Carpenter is KnowBe4‘s chief evangelist and strategy officer. He heads the new research division.

KnowBe4’s Perry Carpenter

“I was dismayed at how much the education sector struggles in all measurement areas,” he said. “The data indicates that there are systemic security culture issues in this sector. This would be bad during years when there are no other external pressures. However, all of the uncertainty related to education in the era of COVID-19 will exacerbate the problem.”

These issues related to security culture in education will likely result in some “very public and messy incidents,” Carpenter said.

“This is a critical time for the education sector to step up and put intentional focus on strengthening their security culture,” he said. “Otherwise, the rapid technology adoption they are being pushed into as a result of COVID-19 will create a security culture crisis.”

The data shows no industry, even the highest scoring ones, should be overly pleased with their scores, Carpenter said.

“We see that one of the main reasons for this overall lackluster performance is that there is a general fuzziness in how organizations understand security culture,” he said. “We see that organizations know that culture is important, but they don’t really know what it is. And because they don’t know what it is, they have a difficult time creating actionable plans for improvement.”

Strong Correlation with Security Risk

The research shows a strong correlation between low security culture scores and high security risk, Carpenter said.

“In other words, organizations that struggle with security culture are going to be softer targets for attackers,” he said. “So attackers will be successful against poor performers more often and it is likely that attacks will result in larger, more devastating incidents.”

The primary vector that attackers leverage is usually social engineering to trick end users, Carpenter said.

“Resilience to social engineering relates to the security culture dimensions of behavior and cognition,” he said. “Good security behaviors can be codified into habits, building a healthy security hygiene. And similarly, employees can be taught and conditioned to approach situations with a more secure mindset. Organizations that ignore these dimensions of security culture do so at their own peril.”

The technology sector’s scores were OK, but not in a good way, Carpenter said.

“For instance, the tech sector claimed the top score in the cognition dimension,” he said. “However, that was still only a 73 (moderate). In fact, most of the technology sector scores were in the moderate range. But we need to keep in mind that moderate is not good. The range for good is 80 to 89. The sector’s overall security culture score was only a 75.”

That means many of the organizations trusted with the most sensitive data might be struggling to foster a security culture to safeguard that data, Carpenter said.

The report and survey can “really step in and make a difference,” he said.

“By breaking this amorphous concept into seven distinct and measurable dimensions, we are able to provide organizations with what they need — clarity,” Carpenter said. “The clarity to identify gaps and determine how best to chart a path toward improvement.”