Despite Years of Employee Engagement Efforts, Cybersecurity Cultural Disconnect Remains; 1 in 3 Employees Don’t Understand the Importance of It
Cybersecurity professionals have been striving for years to make the more casual internet user aware of the pernicious and ever-evolving threat landscape that threatens their sensitive personal information and the fortunes of their employers. A study from cloud security firm Tessian indicates that, despite increased awareness of personal privacy issues, a large chasm of cultural disconnect remains in the realm of security. Employee engagement is a particular problem, with less than half saying that they were very likely to report a cybersecurity incident and a quarter not even pretending to care about it.
Cultural disconnect greater at work than at home, even as organizations focus on cybersecurity
Security professionals have also been striving for years to get executives on board with serious defensive postures, and have been experiencing a good deal of success as of late. A substantial amount of rank-and-file employees are not buying in, however. This cultural disconnect threatens to undermine all of these efforts, as all it takes is one mentally checked-out employee to open the door to attackers.
The survey included 2,000 enterprise employees in the United States and United Kingdom and was conducted in July. Only 39% said that they were “very likely” to report a potential cybersecurity incident if they noticed it. When the disengaged employees were asked why, the largest number (42%) said that they would not know if they had caused an incident or be able to recognize one. 25% simply said that they don’t care about cybersecurity and could not be bothered.
Other surveys in recent years have shown a sharply increased awareness of personal privacy issues online, and demand for better protections from companies that handle this information and more active regulation by the government. This survey does indicate that people seem to be more interested in their own home affairs, as only half of the amount that could care less at work reported also not caring about their security at home. The cultural disconnect and loss of employee engagement seems to be centered on either not being aware of the organization’s cybersecurity policies, or just not being invested enough in the company or the job to care what happens.
Are companies in touch with employee engagement levels?
These are particularly worrying findings as many organizations have committed to long-term remote work in the wake of the Covid-19 pandemic, something that generally asks more of employees in terms of diligence and procedures to keep internal networks secure.
Organizations may not be aware of poor employee engagement levels in the area of security, as 99% of the 500 IT decision-making respondents felt that a strong security culture was vital and self-evaluated their current security posture at an average 80% rating. However, despite tending to rate their own programs highly, about 75% of this group also admitted that they experienced a security incident within the last year.
Cybersecurity training also does not rate particularly well with either leaders or employees. Only 48% of decision-makers rate it as one of the most important factors in building a security posture. Only 36% of the employees say that they pay full attention to security training materials, and only 28% feel these programs are engaging. 50% say they have failed a phishing simulation test, and about 20% say that they do not even show up for scheduled security training sessions.
The cultural disconnect may tie in with a communications disconnect. 80% of the security leaders feel that they have strong feedback processes in place to report incidents, but only a little under half of the employees agreed with this. Age also appears to play a role, with older employees generally taking security more seriously. Rates of failure in phishing simulations are three times as high in the youngest cohort (age 18-24) as they are in the oldest (at least 55), and the older employees are four times more likely to understand cybersecurity policies and five times as likely to follow them. The youngest group is also the one that has the highest level of favorability toward poor security hygiene practices such as reusing login credentials, opening email attachments from unknown parties and taking sensitive company files outside of the secure network area.
The report dives into the employee engagement problem in some detail, highlighting some of the training materials that cause employee eyes to glaze over. Unsurprisingly, these tend to be unremarkable samey PowerPoint presentations and notices that blend in with the 100 “TPS reports” that office workers barely pay attention to every day. The materials are also often designed by legal or compliance teams that are more concerned with ticking required boxes than actually getting the message across; in some cases these staff members may themselves not understand cybersecurity all that well themselves.
But the report also finds that the cultural disconnect may be fed by companies focusing on fear and punishment as motivators, which can end up having the opposite of the desired effect on employee engagement. The report suggests moving to a rewards-based system of training, as well as “front-loading” security training as new employees are onboarded (when other studies show they are most receptive and have a highly favorable outlook toward the company). Communications should also be tailored to the unique risk combinations that each department faces; for example, business email compromise in the payroll department.
Gloss