Meanwhile, the global Banking and Financial Services Industry fared better, but that does not mean they achieved an ‘excellent’ score.

Security culture involves how people think about and approach a more secure environment. It varies across industries, and can be measured across seven dimensions: attitudes, behavioral patterns, cognition, communication, compliance, norms and responsibilities.

In the latest comparison of this culture across 1,872 organizations around the world, it has been concluded that Banking and Financial Services industries had better metrics than those from Education and Construction.

According to Kai Roer, Managing Director, KnowBe4 Research, the firm that commissioned the yearly study: “The Security Culture Report takes a unique approach to evaluating security culture using seven different dimensions across a wide variety of industries. Of course, the pandemic has created some shifts in security culture when compared year-over-year. It will be interesting to continue to track how certain vertical industries change over time when it comes to their security culture.”

Summary of findings

On a year-by-year comparison, the education industry ‘s security culture has improved by two points. This improvement may be explained by education having being moved from classrooms to virtual settings due to the COVID-19 pandemic and the associated technology systems and training changes.

The legal industry had also increased its score by two points. Again, this could be attributed to procedures having being moved online.

On the other side of the spectrum, the news was not so good:

  • The Consumer Services industry dropped one point lower this time, maybe due to the reduction in the global workforce during the pandemic
  • The Construction industry scored one point lower than last year. This may be explained by the reduction in workforce due to the pandemic
  • Business Services also scored one point lower in this report. This sector has traditionally shown a high score, making this change somewhat unusual.
  • Results from this year’s report revealed a large gap between the best performers and the poor performers. The best performers were from Financial Services and Banking—industries with a long tradition of managing risk. However, being a ‘best performer’ does not necessarily equate to having performed at a desirable level, and these industries should not be too quick to congratulate themselves. They garnered a level of security culture well below the arbitrary Good rating. Research indicates that moving from one security culture class to another is directly correlated with risk. By improving from the current ‘moderate’ level of culture to the next level (‘good’), these industries can expect to see a reduction by eight times of employees sharing credentials.
  • As in earlier reports, the Education industry was one of the worst performers. However, it has shown a significant improvement compared to earlier years and is now demonstrating ‘moderate’ security culture. This improvement helps reduce the risk of employees sharing credentials by three times.
  • Another industry that saw an improvement from last year is the Legal industry, wherein many legal and court operations were forced online, even if some users seem to have struggled with the switch.
  • Unlike the Education industry, Construction experienced a drop in their security culture during the pandemic. Other industries with a reduction in security culture were the Consumer Services industry, and also Business Services.
  • Detailed analysis shows that the majority of all analyzed organizations managed to develop a ‘mediocre’ or ‘moderate’ security culture, while only a small portion of organizations had a ‘good’ security culture.

Finally, a few organizations scored in the ‘poor’ bracket, and none attained an ‘excellent; rating. According to the firm, this is worrying amid a continued growth in the threat level posed by the cybercrime landscape. Ransomware payments reached an all-time high last year, with organizations across all industries being targeted, and phishing had surpassed other techniques as the most common tool used by hackers to gain access.

As such, the report asserts that security culture is a critical, need-to-have asset in the security toolbox. By assessing employees’ security awareness, behavioral patterns and culture, organizations can adapt their policies and training programs to the constantly changing threat landscape. The alternative becomes less attractive by the hour: do nothing and see your organization crumble to a halt by ransomware, data theft or business interruption.