Since 1990, the Internet has spread around the world with great speed and with it, cybercrime has grown at a continuously increasing rate. Thus, cyber security is getting more important. According to IBM, in 2022, a data breach cost on average 4.35 million US-Dollar.
What is the role of humans in cyber security?
One critical element of successful attacks is the human factor. According to a report by Verizon, in 82% of all breaches a human element is involved. Human elements include social engineering attacks and errors or misuse of systems. Many breaches start with exploiting weak credentials, guessing passwords, or sending phishing mail.
The best instrument is only as reliable as its user: While security tools and technical controls aim to improve an information system’s security, people are crucial in implementing and using them correctly. Working on security awareness and secure behaviours of people is thus a critical success factor for any security organisation, yet it is often neglected.
How does security awareness differ between different groups of employees?
Let’s examine how different factors like age or industry impact people’s attitudes towards security.
Does age impact whether people take security seriously or not? An article by CSO showed a huge difference between the different generations regarding IT-Security awareness. The study reviewed the security attitudes of Millennials, Gen Z, Gen X and Baby Boomers.
One finding was that Gen Z and Millennials are less concerned about IT security than Gen Xers and Baby Boomers. How can this be explained?
Gen Z and Millennials grew up with new technologies as a regular part of their life, assuming that online services are secure. According to a Gallup poll, these users have a high level of trust in institutions to treat their personal data securely. If the online and offline worlds are perceived as equally safe, a young person might have difficulty seeing the point in some IT security controls. This explains why 58% of Gen Z and 42% of Millennials wait as long as possible with mandatory IT updates. Wait as long as possible with mandatory IT updates.
On the other hand, this number is only 15 % for Baby Boomers, who were not raised with these new technologies and may have experienced the “wild west” that the internet was in the 1990s.
The same behaviour holds for the reuse of passwords. 30% of Gen Z, 31% of Millennials, 22% of Gen X and 15% of Baby Boomers reuse their passwords. The stereotype of the old, non-tech-savvy user that puts a post-it with their credentials on the monitor is thus not entirely accurate.
In Proofpoint’s “State of the Phish 2022”, phishing statistics across different industries and departments are reviewed. The automotive, electronics and engineering sectors rank highest with the lowest click-rate regarding phishing messages. The highest failure rate was observed in the consulting industry. One possible explanation for this could be that automotive, electronics and engineering employees routinely work with sensitive data and intellectual property and generally need a high safety awareness to avoid production failures and accidents.
On the other hand, consultants have a lot of contact with different external employees and often need to respond fast, so sometimes suspicious e-mails may be overlooked.
The departments with the lowest failure rates are audit and IT, while purchasing had the highest failure rate. This sounds plausible since security is ingrained in the tasks of audit and IT. Purchasing includes a lot of contact with different companies, and employees may have to work with many different attachments that could carry malware. In a careless moment, a spam e-mail could be confused with a legitimate offer from a partner company.
Does security awareness differ between countries?
According to the global cybersecurity index, there is a correlation between the development status of a country and security awareness.
Developed countries like USA, UK and South Korea have a strong security awareness since they are technologically advanced, and technology is a part of everyday life. There are also plenty of resources in these countries to support awareness activities. On the other hand, organisations in developing countries may lack the needed funding for awareness programs or public communication about IT-Security risks may not be as prominent as in other countries. This leads to a lack of security awareness, and thus companies are more prone to social engineering and phishing attacks.
In conclusion, the level of security awareness between different groups or locations within your organisation can differ. For a successful security awareness campaign, it is important to tailor the campaign to different ages, departments and countries. One helpful tool for this is employee profiles that outline the factors influencing employee behaviour.
If you want to learn more about how we can support your security awareness program or want to improve security in your company, contact our expert team.