The 2020 Security Culture Report collected data from more than 120,000 employees across 24 countries to find out exactly how deeply security was embedded in the company culture. Or not.
South Africa, Kenya, Botswana, Namibia, Zimbabwe, USA, UK, New Zealand, Norway and India were some of the countries included in the survey. The industries included Banking, Financial Services, Insurance, Education, Transport, and Energy and Utilities.
The overall security culture scores were measured across seven dimensions that included Attitudes, Behaviours, Cognition, Communication, Compliance, Norms and Responsibilities. These were then further analysed against country and industry sector to provide a holistic global security overview. The results? Not what you might expect.
“Asia has the highest security culture score, followed by the United Kingdom,” says Anna Collard, SVP of Content Strategy and Evangelist, KnowBe4 Africa. “The continent of Africa is on par with North America, Australia and New Zealand at 73 and leading ahead of Europe at 69.
The higher score could be because Africa has leapfrogged legacy issues that plague some of the security environments in Europe. It may also be explained by the fact that about 90% of the African participants are from South African financial institutions.
South Africa is a country where security and risk behaviour is ingrained in people’s daily lives and the Financial Services sector is ahead of other sectors when it comes to digital security Attitudes and Behaviours.
“While Africa isn’t quite as compliant as the USA overall, our results show a more positive Attitude, Norms and Behaviour towards securing information. However, where Africa – and the rest of the world – is struggling is in Education. This sector scored particularly badly with Communication policies, Attitudes and Cognition, which is linked to learning. It’s an area that we have to become aware of, as it puts students and educators at risk.”
The recent shift in the world has caused many education institutions to find new footing online and this has made an already shaky sector even more vulnerable. The report emphasises how students and teachers have become even more reliant on technology and need better security protocols and foundations in order to stay secure.
This is a wake-up call for education, globally, not just in Africa. It is equally one that should be heard by the Transportation and Energy and Utilities sectors. They too scored very low on the table compared with banking, finance and insurance – all industries that scored better in comparison to the low performers.
However, they shouldn’t be too quick to congratulate themselves. For instance, a score of 76, as seen by Banking and by Financial Services, is well below the expected level of 90 or above.
“The question that the report raises is simple – how can the organisation embed secure employee behaviour to minimise the risk and maximise protection?” asks Collard. “The answer is that security has to be management’s responsibility and needs to remain an ongoing priority. A few emails and posters about password hygiene aren’t going to cut it when a phishing email or ransomware breaks loose. And this can happen with just one accidental click of a mouse.”
The report underscored one very important fact – the human element is underserved. The culture of an organisation can significantly affect its security and by understanding the various factors that influence this culture and how it can be remedied, the organisation can significantly change its security.