Fujitsu's Building a Cyber Smart Culture survey of 331 senior executives in 14 countries (conducted in September 2020) suggests feelings of isolation among employees working remotely has made them feel less able to ask a workmate for casual advice concerning cybersecurity issues.
Furthermore, the study showed 48% of non-technical employees were reluctant to report any potential threats for fear of possible recrimination, leaving organisations exposed to cyberattack.
Other key findings include:
- 54% of organisations were unable to ensure that security policies had kept pace with significant changes.
- 45% of respondents believed cybersecurity had nothing to do with them.
- 60% said all employees in their company received the same cybersecurity training, despite significant differences in roles and security issues they face.
- Where the business provides role-based training, 61% found it ineffective. In particular, 35% said the training was too boring, 35% said it was too technical, and 32% said it was too long (which could be another way of giving either of the first two reasons).
- 69% of respondents thought cybersecurity training was most effective when it involved games, rewards, or quizzes to improve security awareness or behaviour, but there was no mention of any data that would take this idea from opinion to fact.
"For many organisations, cybersecurity was forced into the back seat in the race to enable remote working at the start of the COVID-19 pandemic. In too many cases, these makeshift, temporary arrangements are still in place. This means organisational cyberattack surfaces have increased; however, employees are reluctant to report potential incidents. An integrated approach is needed to implement cultural change that focuses on cybersecurity," said Fujitsu Oceania head of cybersecurity portfolio Martin Holzworth.
"The most common security breaches occur when employees click on email links or open attachments that deploy malware or collect sensitive information in phishing attacks. Addressing this weakness with the right corporate culture and knowledge sharing is the cheapest and most effective cybersecurity measure that a company can take.
Organisations need to empower and engage employees on an individual basis to ensure they are aware of potential security risks. They need to introduce a culture where everyone's job contributes to the company's overall security posture. However, it must be supported by the CEO and heads of departments. If cybersecurity is not owned at the top, it is not owned by the organisation. Investment in creating the right culture, educating employees, and building trust makes organisations genuinely resilient to modern cyberthreats."