Half of all organisations lack a security aware culture
Nearly three quarters of senior information security professionals surveyed said that the creation of such a culture is a vital part of ensuring that an organisation has effective cyber security measures in place. Without such a culture the threats posed from insider threats rises greatly, mostly as a result of employee accidents such as opening harmful emails which download malware. The company itself will also be an easy target for hostile actors with repercussions that could seriously harm the organisation both financially and in terms of reputation.
According to the survey, 54% of Chief Information Officers (CIO) and 48% of Chief Technology Officers (CTO) were classed as being ‘very well informed of risks’. In comparison, only 27% of Chief Executive Officers (CEO) and 25% of Chief Operating Officers (COO) were classed as well informed. The Board meanwhile was rated lowest for their risk awareness with just 17%.
With nearly half of organisations lacking a cyber aware culture it appears that many are happy to talk the talk but not walk the walk when it comes to cyber security.
The issue of creating a cyber security aware culture is the responsibility of an organisations leadership. If executives and the board are not willing to learn how or invest in creating a culture then it is almost certain that such a culture will not be made.
The survey also reveals that Chief Information Security Officers (CISOs) are working hard to try and make sure that their superiors are aware of the risks. It seems that a lack of knowledge and/or an unwillingness to spend cash on the creation of a security aware culture is the reason for such a high numbers of organisations lacking such a culture.
Fifty-six percent of the senior information security professionals that took part in the survey said that they were concerned that their organisation does not have an effective budget when it comes to information security and 37% of respondents said that the lack of budget threatens their ability to prepare for and respond to security incidents.
Over a third of the senior information security professionals that took part in the survey said that their organisation suffered a ‘business-affecting information security incident’ over the last year.73% of respondents said that their organisation had experienced social engineering and phishing attempts. Fifty-three percent reported a virus or malware outbreak. Almost a quarter experienced a DOS or DDOS attack. These figures highlight just how important having a cyber aware culture is.
The education of executives and board members is key if organisations are to create a cyber security aware culture and introduce an effective budget to tackle cyber threats.