90% of companies don’t have the cybersecurity culture they want

| October 18, 2018

With cybersecurity threats continuing to escalate worldwide, the ISACA/CMMI Institute Cybersecurity Culture Report found that just 5 per cent of employees think their organisation’s cybersecurity culture is as advanced as it needs to be to protect their business from internal and external threats.

More than 4,800 business and technology professionals shared their insights in the global research study, conducted via online polling in June 2018.

Cybersecurity culture is a workplace culture in which security awareness and behaviors are seamlessly integrated into everyone’s daily operations, as well as a strategic executive leadership priority. In a threat-ripe environment, an effective cybersecurity culture can help employees understand their roles and responsibilities in keeping their organisations safe and customer data secure.

However, just 27 per cent of Oceania respondents (34 per cent of global respondents) say they understand their role in their organisations’ cyber culture.

Companies must take an all-hands-on-deck approach to counter cyberattack threats, the report summarises.

“Enlisting the entire workforce to mitigate an enterprise’s cyber risk is an emerging practice,” says Doug Grindstaff II, SVP of Cybersecurity Solutions at CMMI Institute. “We are hearing a lot of feedback about how organisations can move the needle on employee involvement. It’s challenging, but organisations are rightly concerned by the growing sophistication of cyberattacks.”

Widespread employee involvement correlates strongly with the minority of organisations that have achieved strong satisfaction with their cybersecurity culture.

Nine in ten employees (92%) at these organisations say that their C-level executives share an excellent understanding of the underlying issues, which may be why they loop-in their employees so well; 84 per cent of employees at these organisations say they understand their role in cybersecurity.

Other critical findings include the fact that many organisations lack the first—and all-important—step toward a cybersecurity culture. 57% of Oceania organisations (42% of global organisations) do not have an outlined cybersecurity culture management plan or policy.

Aligning the entire workforce with the organisation’s cybersecurity policies also requires significant capital. Organisations that report a significant gap between their current and desired cybersecurity culture are spending just 19% of their annual cybersecurity budget on training and tools; organisations that believe their cybersecurity culture is where it is supposed to be are spending more than twice as much (43%).

“A key motivator for organisations delaying investing in their cybersecurity cultures is a lack of awareness about the attempted threats and ongoing risks, as well as a lack of awareness about the assets at risk to cybersecurity threats,” said Rob Clyde, CISM, NACD Board Leadership Fellow and ISACA Board Chair.

“However, individuals tend to underestimate the potential damage and overestimate technology’s ability to limit such incidents. Doing so puts their organisations at serious risk.”

SHARE WITH:
First 5000

First 5000 is a news and networking site for Australia’s mid-sized business community.  Write a blog, comment on an article and follow us on Twitter, Facebook and LinkedIn.