We’re thrilled to announce the release of the 2024 Security Culture Report, which dives deep into how security measures affect organizations and the way employees act and feel at work.
The 2024 edition delivers insights from over 800,000 employees in 4,078 organizations across 18 industries; the largest effort to date.
The Upshot
The overall security culture score globally stands at 72 (low to moderate), unchanged from the prior year. As one would expect, smaller organizations tend to have higher culture scores. It’s far easier to change the culture of a smaller group than a larger one.
In fact, of the seven security dimensions measured in our research, Behaviors was the only one in which large organizations scored higher than others. Globally there seems to be less understanding, knowledge and awareness of security, as well as less responsibility.
While there is a great deal of variance depending on geographical location, organization size, and industry, the sobering fact is that there is much work still to be done in order to raise the standard in culture.
As a business leader you can leverage the data from this report to ensure necessary investment dollars are allocated to the most critical part of the security infrastructure: the human layer.
"The growing understanding of the essential role that security culture plays within any successful organization is encouraging,” said Stu Sjouwerman, CEO, KnowBe4. “However, this is an ongoing process and building and maintaining a strong security culture is not a luxury, but a business necessity. It is critical for all industries, especially those heavily targeted by cybercriminals, to prioritize security culture and invest appropriately, particularly in reducing human-based risk."
Check out our infographic for more information:
Defining Security Culture
KnowBe4 defines “security culture” as the ideas, customs and social behaviors that influence an organization’s security and reduces human risk. Security culture is best understood as the collective mindset, practices and norms that shape how an organization approaches and prioritizes security.
Check out our video below for highlights from the report:
Security Culture and AI
The report addresses AI garnering significant attention but not yet impacting the nature of cyber attacks. While bad actors may exploit AI to create sophisticated social engineering tactics, the foundational structure of cyber attacks remains unaltered. This is because attacks will follow the same core formula of social engineering, armed with more efficient tools such as deepfakes and dramatically improved translations.
As a result, defenses against these cyber attacks would follow a consistent formula of watching out for traditional signs of social engineering. Therefore, using AI's potential to train individuals and enhance defensive measures is a strategic necessity against cybercrime.
Takeaways from Around the World
- In Africa, the average security culture average score is 72 (same as the prior year) for the assessed organizations from 20 countries across Africa.
- In Asia, a wide variation of security culture scores exists. Notably, the Middle East and East Asia exhibit a higher degree of maturity in their security cultures compared to their counterparts in Central, South, and Southeast Asia.
- In Europe, security culture exhibits significant variation in understanding and adoption across industries, with a general trend toward increased awareness in highly digitized sectors.
- In North America, Financial organizations and those that handle large sums of money continue to lead the charge simply because the stakes are so high. Unfortunately, Government, Manufacturing, and Education represented some of the lowest scores despite being some of the biggest targets, including for ransomware.
- Security culture in Oceania has increased year over year as a topic of interest in the region with a welcome addition of business units outside of IT, such as HR, at the table.
- For South America, the overall security culture score is categorized as low to moderate, standing at 71. It's important to highlight that the sample sizes from various South American countries are small, indicating a general lack of fundamental security measures within numerous organizations.
Get Your Copy Now
For more in-depth analysis and to see how your organization compares to colleagues around the world, download the report yourself.
