Three-Quarters of Employees Feel It’s the Company’s Job to Ensure Security, Despite Three-Quarters Also Personally Experiencing a Cyberattack

Even with employees seeing cyberattacks first-hand and understanding the seriousness of such attacks, organizations have a culture problem where users just don’t care.

I’ve long held the position that the employee needs to play a role in the organization’s cybersecurity stance – something achieved through creating a security culture that starts with Security Awareness Training. New data from security vendor Terranova’s From Data Protection To Cyber Culture report shows that employees don’t have this frame of mind – and it’s a lack of training to blame.

According to the report, there’s a huge disparity between an employee’s experience with cyberattacks, and how they think the problem should be addressed:

• 76% of employees in France, the UK, Canada, Australia, and the US say a cyberattack has personally targeted them or that they know someone who has
• 78% say it’s the job of the company’s IT department to ensure the company’s cybersecurity stance
• Only 20% of employees say they pay attention to cybersecurity despite it not being a part of their job

Part of the problem is that employees themselves don’t have a solid fundamental knowledge of cyberattacks, good cyber hygiene, and security awareness best practices:

• Only 30% of employees say that their personal cybersecurity knowledge is good
• Only 10% of employees say that they, their company, and their colleagues have an excellent level of cybersecurity knowledge

Part of the problem is that only 38% of employees surveyed said that their company has set up a mandatory cybersecurity awareness program for all. This, despite the fact that over three-quarters (79%) state that they are interested in security awareness training, even if their company does not offer it.