Three-quarters of UK and US companies have experienced a security incident in the last 12 months, as a significant percentage of employees admit that they are not engaged in their organisation’s cybersecurity efforts. This is according to research unveiled in a new report from the email security company, Tessian.

Research details and findings 

The report, titled: How Security Cultures Impact Employee Behaviour, surveyed 2,000 UK and 2,000 US employees, and 500 UK and US IT decision makers.

The data revealed that 85 percent of employees participate in security awareness programmes, however, 64 percent don’t pay full attention when in the session. What’s more, 36 percent of respondents consider their company’s security training ‘boring’.

Importance of strong security culture

30 percent said they don’t think they play a role in maintaining their company’s cybersecurity

The report also revealed that staffers don’t understand their role in keeping their company secure. 30 percent said they don’t think they play a role in maintaining their company’s cybersecurity, and 45 percent don’t even know who to report security incidents.

Virtually all IT and security leaders surveyed by Tessian (99 percent) agreed that strong security culture is important in maintaining a strong security posture, however, 45 percent of IT leaders said incidents of data exfiltration have increased in 2021, as people took data when they left their jobs, and, one in three employees admitted to taking data with them when they quit their job.

Generational differences

The report also revealed generational differences when it comes to cybersecurity culture perceptions. Older employees are four times more likely to have a clear understanding of their company’s cybersecurity policies compared to their younger colleagues and are five times more likely to follow those policies.

When it comes to risky cybersecurity practices such as reusing passwords, taking company data, and opening attachments from unknown sources, younger employees are the least likely to see anything wrong with these practices.

Specific and actionable security education

Everyone in an organisation needs to understand how their work helps keep their coworkers and company secure"

Kim Burton, Head of Trust and Compliance at Tessian, commented, “Everyone in an organisation needs to understand how their work helps keep their coworkers and company secure."

"To get people better engaged with the security needs of the business, education should be specific and actionable to an individual’s work."

Secure practices

It is the security team's responsibility to create a culture of empathy and care, and they should back up their education with tools and procedures that make secure practices easy to integrate into people’s everyday workflows."

"Secure practices should be seen as part of productivity. When people can trust security teams have their best interest at heart, they can create true partnerships that strengthen security culture.”

Download PDF version Download PDF version

In case you missed it

Anviz Global expands palm vein tech for security
Anviz Global expands palm vein tech for security

The pattern of veins in the hand contains unique information that can be used for identity. Blood flowing through veins in the human body can absorb light waves of specific wavelen...

Bosch sells security unit to Triton for growth
Bosch sells security unit to Triton for growth

Bosch is selling its Building Technologies division’s product business for security and communications technology to the European investment firm Triton. The transaction enc...

In age of misinformation, SWEAR embeds proof of authenticity into video data
In age of misinformation, SWEAR embeds proof of authenticity into video data

The information age is changing. Today, we are at the center of addressing one of the most critical issues in the digital age: the misinformation age. While most awareness of thi...

Quick poll
What is the most significant challenge facing smart building security today?