Nobody will disagree with the statement that maintaining a strong culture of security is important to avoiding incidents like data breaches and phishing attacks, but just because your employees agree with that statement does not mean they will tell you when they uncover a problem, according to newly released research.
Fewer than 40% of employees will actually report an incident, according to data released this week by Tessian, a software company based in the United Kingdom. When asked why they would choose not to report an incident. 42% of employees said it is because they would not know if they were the cause of the incident and 25% said they just do not care enough about cybersecurity to mention it.
The survey also asked professionals how secure they thought their systems were, and while respondents assigned a ranking of their security infrastructure as eight out of 10, 75% of respondents had experienced some sort of security event in the past 12 months, demonstrating just how important — and how overlooked — security is.
Humans are known to be the weakest links in a company’s information security perimeter, and training is often cited as the most important method of providing employees with the tools and understanding necessary to keep data and systems secure. Nearly half of the survey’s respondents said that training is what has the greatest influence on a company’s security posture, but 28% of employees said that the training they receive is engaging, and only 36% said they are fully paying attention to the training they receive.
“Employees focus on what they perceive their role to be,” said Tessian’s Kim Burton, Head of Trust and Compliance. “If leadership treats security as separate from everyday work, if security is only spoken about during annual training time, people will do what matches with their perception of their job.”