New Zealand Organisations Are Struggling To Build A Security Culture

15 March 2023: Business security has been at the forefront of Kiwis’ minds following high profile data breaches last year, but IT decision makers are still struggling to build a culture of security in their organisations, according to new research from KnowBe4, announced today. Only one quarter (26 percent) of IT decision makers across New Zealand know what 'security culture' is, and think their organisation has a good security culture.

More than a quarter (26 percent) of IT decision makers have never heard of the term ‘security culture’ (almost half [48 percent] of office workers say the same). Of the remaining three quarters (74 percent) of IT decision makers who say they have heard of 'security culture' before, less than three in five (58 percent) know what it means.

“Every organisation already has a security culture whether you like it or not. The challenge is to understand it as it stands today, define what you want it to be and go about making that happen,” says Jacqueline Jayne, Security Awareness Advocate APAC at KnowBe4.

Worryingly, more than one in ten (13 percent) say they know what 'security culture' is, but don't believe their organisation needs it. A further one in ten (9 percent) say they know what it is, and that their organisation needs to have one place, but don't know how to achieve it and nine percent say they don't have one in place, while six percent think it is someone else's responsibility.

What is security culture?

When it comes to defining security culture, those IT decision makers who have heard the term, most commonly say that, to them, 'security culture' means recognition that security is a shared responsibility across the organisation (62 percent) and having an awareness and understanding of security issues (54 percent). One in two (48 percent) believe it means compliance with security policies, more than a third (36%) think it means that security is embedded into the organisation’s culture, and a further one in three (32 percent) say it has something to do with establishing formal groups of people that could help influence security decisions.

“It is important to note that the phrase ‘security culture’ is beginning to find its way into the lexicon of IT leaders. But there is a problem – IT decision makers have vastly different definitions of security culture, which makes it almost impossible to measure and work towards,” explains Jayne. “At KnowBe4, we define security culture as the ideas, customs and social behaviours that influence an organisation’s security. A common definition makes it possible to discuss the same thing, in the same way. We all know that if you do not measure something, that something does not exist.”

Employees and security culture

When it comes to security across the broader organisation, employees are even more in the dark. A fifth (21 percent) of office workers say their employer hasn't communicated about security culture at all and almost half (48 percent) of office workers have never heard of the term security culture. Only a third of office workers (31 percent) say that their employer has communicated about security culture with less than a quarter (23 percent) saying they are clear on what it means and their role.

“How employees perceive their role is a critical factor in sustaining or endangering the security of the organisation,” explains Jayne. “It is imperative that employees are educated on securing not only their professional, but personal environments. What they learn and how they incorporate into everyday behaviours and attitudes is then completely transferable into their personal lives and will protect their own data.”

When it comes to asking for help, of those office workers who have an IT team to ask, more than one in five (21 percent) say they are reluctant to ask their IT team security-related questions. 13 percent say it's a hassle, so they rarely ask their IT team for help if they have security related questions, while 11 percent fear the consequences and 7 percent are embarrassed/ feel stupid asking their IT team security related questions.

Building a strong and positive security culture is an effective mechanism to influence your users’ behaviour and, thereby, reduce your organisation’s risk and increase resilience. For more information on how to build a security culture with KnowBe4, visit www.knowbe4.com.

© Scoop Media