Redefining the security culture – a better way to protect your business
Results of our Information Security Breaches Survey indicate that organisations are struggling to deal with more targeted phishing and malware attacks, both in traditional forms and as more nefarious ransomware. Despite continued increases in ongoing security awareness programmes, users remain the chink in the organisational armour and will likely remain so until sufficiently effective training programmes are devised.
Rather than reacting to breaches by continuing to do more of the same, organisations would be advised to start defining their security culture as a more effective means of shaping the judgements, decisions and behaviours of staff at key moments. They should first maximise the use and effectiveness of their current investments in tools, people and processes, and put in place a means of quantifying their effectiveness.
When they’re able to objectively show that investment in new technology is required, they should do so, giving, where possible, priority to technologies which empower end users to naturally make the right security decisions.
Our prediction in last year’s survey that more organisations will prioritise the protection of customer information as the threat of sanctions under the General Data Protection Regulation (GDPR) looms closer is confirmed by this year’s results; protection of customer information slid into first place with 22% of respondents indicating it’s the most important driver for their information security spending,slightly ahead of the usual leading cause, preventing downtime and outages, which garnered 20% of responses.
Until organisations actively track their information security spending and objectively evaluate its effectiveness, we’ll likely continue to see budgets growing without any commensurate observable improvements in security.
Just as important as having the necessary expertise is developing a strong information security culture. Awareness and training are crucial, but can only be truly effective within a robust corporate security culture.As survey results show, user behaviour is often central to a cyberattack; employees’ ability to make the right assessments and decisions make all the difference in helping create a "human firewall".
Companies should not only rely on external assistance for the technical aspects of information security, but also for support in the fields of change management, to guide the organisation through a culture change and create an optimal mind-set.
PwC can help you understand the implications of today’s security landscape and guide you in adopting a forward-thinking approach by applying new concepts to the unique needs of your business, your industry and your threat environment.
Let us show you how to effectively combat the security threats of today and plan for those of tomorrow.
The top causes of breaches reported in the survey were inadvertent human error, lack of staff awareness of security risks, failure to follow a defined process and external attacks specifically targeting an organisation.
Overall, the direct link between human action and breaches is hard to ignore. More than half of respondents (57%) have implemented ongoing security awareness training programmes. Unfortunately, this move has yet to have any effect on the number and severity of breaches.
Just under 20% of participants completed the portion of the survey dedicated to biometrics. A third (36%) of which have already implemented a biometrics solution for authentication with the remainder planning on doing so.
Users of biometrics systems are overwhelmingly employees (71% of cases), with users or customers representing 29% of the population. In all cases, traditional authentication mechanisms (something you know, something you have) remain the norm among 90% of surveyed organisations. There is currently little desire to use biometrics for other purposes besides authentication.