'Huge disconnect' between employer and employee perception of security
There is a ‘huge disconnect’ between IT managers and employees when it comes to the perception of whether an organisation is ‘ticking the security compliance box’, according to a new study from Mimecast and Forrester Consulting.
59% of IT managers in a survey conducted by Forrester say they are doing enough for their organisation’s cybersecurity, yet 53% of employees disagree, and 51% believe their managers do not stress enough the importance of good security practices.
The survey was conducted across Australia, Hong Kong, New Zealand and Singapore between January and February 2020 and involved 120 senior IT and business decision-makers responsible for cyber safety at companies with more than 100 employees.
It also quizzed 240 knowledge workers from the same companies, who regularly use email and digital channels in the workplace.
The report also found that investment in security awareness and training (SA&T) does not necessarily translate into concrete changed behaviour in employees – with half of respondents in New Zealand admitting to flouting security policies despite attending SA&T.
This could potentially be explained in another finding in the Forrester report – that traditional SA&T is ‘long and unengaging’, and does not rely on behavioural science to achieve its objectives of behaviour and culture change.
This leads to static employee behaviour, contributing to the aforementioned disconnect between employee and employer perception of security.
“While security leaders in APAC believe they’ve made security a social norm by leading and encouraging others, this survey underscores that employees are not retaining, understanding or implementing key areas of cybersecurity training – and the existing outdated modes of training are simply not bringing about behavioural change,” says Mimecast country manager A/NZ Nick Lennon.
“In the current COVID-19 business conditions, with many employees working remotely indefinitely, the last thing businesses need is a security breach.”
The report concludes that APAC firms must advance SA&T programs by exploring alternative content types, providing different methods of delivery based on employee preferences, and extending training outside the workplace.
“Almost half of business leadership teams (45%) still have the incorrect perception that security impedes their workforce productivity,” says Forrester Consulting project director Line Larrivaud.
Lennon says the security crises revolving around the pandemic call for cybersecurity to be assigned more significance.
“At a time when global cybersecurity threats, customer data breaches and the potential for reputational damage has never been greater, it’s of vital importance that business leaders and employees understand and value the importance of cybersecurity best practice within their organisation,” says Lennon.
“They simply cannot ignore the consequences or circumvent the protocols.”