A recent ITWeb / KnowBe4 cyber security culture survey has found an improvement in cyber security maturity in South African companies, but KnowBe4 stresses that constant training and testing is needed to keep organisations on track.
This emerged during a webinar hosted by KnowBe4 in partnership with ITWeb.
Anna Collard, SVP of content strategy and evangelist for KnowBe4 Africa, released the findings of the KnowBe4 / ITWeb cyber security culture survey, which found that the majority (83%) of respondents currently run a security awareness and culture programme. This is an increase over the 2022 ITWeb KnowBe4 South African cyber security culture survey, when 72% of respondents said they ran a security awareness and culture programme, and 28% did not.
Collard said: “Security culture is either important or very important to 93% of respondents in this year’s survey, and even more so to the customers or clients of those organisations. This shows that having a security culture is definitely a competitive advantage.”
In the 2022 survey, 35% of respondents did not measure their security culture programmes. Those who did measure them looked mainly at metrics such as phishing simulations and incidents reported by end users.
In 2024, the majority (81%) of the survey respondents assess or measure their cyber security culture. Of these, 38% have a mature method in place to measure security culture, while 43% have some measures in place, but these could be improved.
The methods used to assess or measure cyber security culture include: looking at metrics such as phishing simulation percentages and incidents reported by end users (64%); using a standardised methodology and tool (48%); combining qualitative analysis (such as surveys) and quantitative data analytics (34%); and using external consultants (26%).
Defining security culture
Collard said: “One challenge in the security culture space is we use terms that mean different things to different people – for example: awareness, behaviour, culture, human risk management and human layer defence.”
She defined security culture as the collective values, beliefs, attitudes and behaviours within an organisation regarding security practices.
“There isn’t a technical solution for building security culture – it requires a mindset shift. To do so, we have to win hearts and minds, while influencing behaviours, with the ultimate goal of reducing risks aimed at humans and those which emanate from humans,” Collard said.
“What’s important is that you have a security culture in place and move the maturity level from rudimentary awareness to a culture where people understand the importance of cyber security, as well as their own human vulnerabilities and the fact that they can make mistakes when distracted.”
Building a security culture
Collard said organisations should aim to instil a zero trust mindset. “It means not trusting anything by default and verifying everything. Applied to humans, it calls for a healthy dose of scepticism and constant verification mindfulness practices encourage users to pause before reacting,” she said.
As organisations move from basic compliance to a mature and sustainable security culture, their risk decreases accordingly, she said. However, many organisations overestimate where they are in terms of security culture maturity.
Collard said: “The Fogg Behaviour Model says behaviour change happens when three things happen at the same time: motivation, ability and prompts to do the behaviour. To influence behaviour change, organisations can focus on the why and what, and strive to make the training content personally interesting and easy to digest. We also have to equip people with the ability to do the right thing, for example giving them password managers that make it easier for them.”
She emphasised: “Prompting and reminding people to do the right thing is also very important. Phishing simulations are a powerful way to remind people to do the right thing. In our customer base, we find that the most effective way to improve and maintain awareness is to do weekly phishing tests. The average user’s phish prone percentage is 30% for untrained, untested users, and only 1.79% among those who have been trained and have weekly phishing tests.”
Eugene Swartz, regional enterprise account manager for Africa at KnowBe4, outlined how KnowBe4 underpins cyber security culture.
“We find our solution reduces IT headaches such as data loss and having to reconfigure PCs,” he said.
Swartz demonstrated how the KnowBe4 platform allows companies to benchmark their progress against their industry vertical, company size and programme maturity.
“To understand the organisation’s security culture and the knowledge base of individuals in the organisation, KnowBe4’s Security Awareness Proficiency Assessment is designed to ensure we give you the necessary information as it relates to areas such as social media, mobile devices, concepts like the human firewall, internet security, email use and incident reporting,” he explained.
“The Security Culture Survey ensures we ask certain questions of the workforce to determine which areas are least and most security minded, and where the organisation needs to improve security culture programmes. The platform has embedded training of every kind, including data on the latest methods used by hackers, to help employees think smarter and behave smarter,” Swartz said.
Share