Every year newer security threats emerge on top of the existing ones, putting security professionals and CISOs into a never-ending cybercrime-fighting loop. Cybercrime is becoming more serious considering the growth of new tools, disguise methods, attack speed, and so on. By 2025, cyber attacks will cost the world about USD 10.5 trillion annually (up from USD 3 trillion over a decade ago).1
To level up against emerging threats, businesses are raising their IT and cyber security budgets. In 2017, cyber investments stood at USD 131 billion globally. By the end of 2024, the number will surpass USD 200 billion.2 The median spending on security by organizations is around USD 3.75 million – a significant budget to protect IT infrastructure.3
Despite the considerable investments, the impact of threats remains large – mainly due to a lack of cyber security culture and awareness. Many studies point out that human errors are the primary causes of data breaches – about 90% of the breaches can be attributed to human errors.4 Certain errors can potentially escalate to a full-blown data breach. Some examples of errors could be clicking on a link sent by an unknown user through an email, using a weak password for too many applications or accidentally exposing data to the public.
That’s what happened to Microsoft when some of its employees unintentionally exposed 38 terabytes of data on the public forum, GitHub. Private data such as keys, passwords, messages, personal backups of employees, and so on was left accessible to the public. Luckily for Microsoft, it was internal data, and no customer data was involved, saving it from lawsuits and compliance penalties. After the incident was reported by Wiz Research, the company took corrective measures by fixing permissions and securing the data.5
Several other examples show us that employee errors have led to devastating consequences (read about Equifax’s story in this blog). Security tools cannot guarantee full protection, an organization needs a security culture. Hence, this has become a boardroom topic and one of the key priorities for CISOs.
Security culture is a set of values and shared beliefs followed across the organization. An example could be an organization that cultivates a strict role-based access system, where access is granted only to those who may need it, and no one else. This practice fosters good security hygiene and ensures minimum security incidents arising out of unauthorized access. Such a set of similar practices constitutes a security culture.
The core components are security policies and controls, security practices, training and awareness, security tools, compliance norms, security assessments and updates, roles and responsibilities, incident response plans, and leadership initiatives. Apart from these technical aspects, what matters is the attitude of every individual towards security. Culture should be in the organization's DNA. All these factors together create a culture that leads to a robust security posture.
Today’s attack surface has expanded due to cloud and digital technologies. It’s impractical to fend off attacks all the time. No matter what advanced tools are used to put up defenses, a simple phishing email (the most common vector for malware is email, and phishing is hackers’ favorite weapon) and an unaware employee are what it takes for a data breach. Cybercriminals know that humans are the weakest links, and most attacks are designed to exploit human weaknesses.
Phishing attacks are getting smarter and faster, thanks to Gen AI. Phishing attacks have increased by more than 1,200% in 2023 alone as hackers leverage Gen AI tools.6 Also, every unsecured endpoint or network access is a potential entry gate for the attacker. Imagine an employee connecting to corporate applications through an unsecured or compromised Wi-Fi connection at a café. Such instances are a dime a dozen.
At times, insider threats are intentional where employees steal or leak data. In 2023, Tesla employees leaked sensitive data to the media, including customer bank details, compliance details, and more.7
Attacks or data breaches can cause:
Therefore, employees must be made aware of various scenarios where unthoughtful behavior can lead to a security incident. Hence, most companies are investing in security awareness trainings that focus on simplifying security terms and how noncompliance can impact an organization. But it’s a top-down approach.
Security is not one man’s or one team’s concern – it’s everyone’s responsibility. However, culture always starts at the top. For any culture to thrive, leaders and executives should influence teams. Leaders need to effectively communicate. They need to show empathy when needed. For instance, employees who accidentally cause security incidents need not be penalized or highlighted, instead counselled for following the appropriate norms. This behavior encourages employees to report errors. Positive reinforcement for ideal behavior does better than punishing a bad behavior. Additionally, when the leadership has a conviction in security culture, they also invest in security awareness trainings for employees.
Security trainings should be role-specific so that employees can know what kind of threats they can face in their roles and the impact of their actions on business. The training should focus on raising awareness rather than inciting fear. It has been observed that 39% of IT professionals are most scared of phishing attacks and 49% think their organization will soon face a phishing attack, while 20% of employees are also likely to click on phishing email links.10 Employees who think their organization will judge them harshly are unwilling to accept and report their errors. This can be a serious cultural problem.
However, not all errors are related to immediate security breaches, but could be as casual as sending an internal email to an external person or sending a wrong attachment. These errors, if not reported, can potentially turn into an escalation, and at times can cost a customer.
Awareness trainings could be quizzes, surveys, classroom-based, or even attack simulation. Some organizations use attack simulation to give teams a better learning experience. Best practices need to be shared and reinforced periodically so that they aren’t forgotten. Topics could be identity theft, password policies, multi-factor authentication, social engineering, public Wi-Fi, safe browsing, data backups, software updates, device security, breach recovery, compliance norms, and so on.
Security awareness also includes creating clear security policies and promoting them. For instance, there can be clear documentation on phishing awareness and response policy. This document could include how to identify and respond to phishing attempts, related terms, reporting and response procedures, simulation details, regular updates, and so on. Similarly, organizations need to also prepare a clear incident response plan that assigns individuals responsible for handling the incident. Flexible teams can help improve the response time during the crisis and lead to a faster recovery.
Furthermore, it is also advisable to empower teams by making security certifications and knowledge databases accessible. Certifications around NIST cyber security, ISO 27001, SOC2, PCI DSS, HIPAA, GDPR, NIS2, and more can be sponsored by an organization for its employees.
It’s important to start slow and small; culture cannot be adopted or changed overnight. So, here’s what organizations can do:
Answers to questions as such these will help in further evaluating the success of security training programs because the management of a company will always link the effectiveness of security culture to the KPIs.
Security culture cannot be set in stone; it needs to be reviewed and adjusted considering new best practices, changes in security tools, new threat environment, employee feedback, and so on. It needs to be flexible enough to accommodate new changes. Companies that have a clear security strategy inclusive of a culture roadmap witness improvement in resilience—by as much as 46%.11
Organizations that have a security culture deeply ingrained, witness improvements in compliance levels. This shift is already taking place. About 70% of compliance and risk professionals stated that the topic is taken more seriously as compared to a few years ago.12
Businesses realize that without a security mindset, total compliance can never be achieved. A typical organization must follow about five to six compliance standards—this becomes too much if they are short on resources. These regulations can only be met through the right security practices. Average non-compliance costs are almost 3x higher than compliance costs, which means being compliant saves the company more money.
Organizations that invest in security awareness training reduce risk from 60% to 10% within a year and can witness at least 7x returns on their investments.13
[Return on security investment = (Annual cost of security incidents and breaches avoided – annual security investment) / annual security investment]
Studies have also demonstrated that employees can better identify threats after receiving security awareness training—in some cases, the awareness levels have improved threefold. Phishing simulation training reduces employee errors by 60%.14 Beyond monetary aspects, compliance also gives a competitive advantage and builds customer confidence.
As emphasized earlier, culture doesn’t stop at one or two things. Investing in the right security tools and resources, ensuring timely updates, patch management, checking vulnerabilities and configuration, having incident response plans, and enforcing the right data security policies, access controls, and management are all part of the culture.
The use of the right security tools further strengthens the culture. For instance, a lot of human errors can be reduced by automation. Companies can not only avoid human errors, but also improve incident response, compliance levels, and threat detection. Security teams that handle alerts manually are often overwhelmed; on average, they receive more than 4,400 alerts a day, and above 80% can be false positives. This usually leads to burnout due to which they could miss a critical alert. There are various instances where such errors have caused full-scale data breaches.
Burnout is not just common with security teams, but also with leadership. Gartner estimates that every one in four CISOs will change jobs due to extreme work pressure, which can be attributed to poor organizational culture and skill shortage.15 Both these issues can be addressed to an extent by the right tools.
Automation, when coupled with Artificial Intelligence (AI), can help security teams analyze large amounts of data, alerts, and respond to real threats. This reduces the false positives and the time taken for threat detection and response. Cost savings is another aspect as organizations that used automation and AI saved about USD 1.7 million in comparison to the ones that didn’t have such capabilities.
It doesn’t stop at AI, other smarter security solutions such as endpoint protection, zero trust, microsegmentation can also be considered.
Start with your security culture strategy today. Humans need not be the weakest link, after all. If you’re considering strengthening your cyber security culture and resilience, we can guide you. Talk to us today.
1 Global Cybersecurity Spending Article, 2021, Cybercrime Magazine
2 Information Security Spending, 2023, Statista
3 IT Security Budget Article, 2023, Kaspersky
4 Human Errors in Cybersecurity Breaches Article, 2022, Usecure
5 Microsoft AI Breach Article, 2023, TechCrunch
6 Gen AI in Phishing Attacks Article, 2023, CNBC
7 Real-life Insider Threats Article, 2023, Code42
8 Cost of Data Breach Article,2024, UpGuard
9 Data Breach Cost Article, 2023, Terranova Security
10 Phishing Survey Article, 2023, Security Today
11 Security Resilience Article, 2022, Cisco
12 Risk Compliance Report, 2023, Thomson Reuters
13 Security Awareness Training Effectiveness Article, 2022, Usecure
14 Phishing Training Article, 2024, CyberPilot
15 Cybersecurity Leader Prediction Press Release, 2023, Gartner