If you’re a manager or security leader, you probably assume that the majority of your employees are following cybersecurity practices within your organisation. However, new research by Tessian found that 25% of employees say they just don’t care enough about cybersecurity to mention a security incident. (Only 39% of employees reported that they were very likely to report a security incident). Discover why employees are not following cybersecurity procedures.
Why employees are not following cybersecurity procedures
Tessian surveyed 2,000 employees in the UK & US in their research and found that nearly half of them (42%) would not know if they had caused a cybersecurity incident. Furthermore, a fifth (20%) of the employees surveyed reported that they do not care about cybersecurity at work. Half of these do not care about cybersecurity at home either.
Less than half of employees feel that there are robust feedback loops to report incidents. This contrasts with the vast majority (80%) of security leaders who believe there is. So there is clearly a large disconnect between leaders and employees when it comes to cybersecurity.
How do security leaders view their cybersecurity?
When 500 IT & security leaders were surveyed, 99% of them reported that they agreed a strong security culture is important in maintaining a strong security position. In addition, on average, they rated their organisation’s security 8 out of 10. However, the majority (three-quarters) had experienced a security incident in the past 12 months.
How is cybersecurity training viewed by leaders and employees?
About 50% of security leaders believe training is one of the most important influences on building a positive security position. However, only a quarter (28%) of workers say that the training is engaging and only a third (36%) say they are paying attention. Of the employees that are paying attention, only half say the training is useful.
Clearly something is going very wrong with cybersecurity training and engagement with employees.
Older employees are more likely to follow cybersecurity procedures
The older generation of workers (55+) are 4 times more likely to have a clear understanding of their company’s cybersecurity policies in contrast to their younger colleagues (18–24-year-olds). Older employees are also five times more likely to follow cybersecurity policies.
What should leaders and employers do about their cybersecurity?
The security culture of organisations needs to have an overhaul if companies are to protect themselves, and their employees and avoid security incidents.
Younger employees in particular need to understand the seriousness of security breaches, and their role in preventing and reporting them.
With most employees not even finding training engaging enough to pay attention, cybersecurity training needs to be designed and implemented in a way that’s more interesting and useful. Training also needs to be improved so that employees are aware if they have caused a security breach in the first place.
With a quarter of employees not caring enough about cybersecurity in their organisations to even report breaches, companies could look at incentives to increase engagement with procedures. Feedback loops need to become more robust for employees, not just in the eyes of security leaders.
Now you know why employees are not following cybersecurity procedures, what changes do you need to implement in your organisation?
Contact 2i Recruit