Security culture has increased year over year in ANZ, but remains behind the global average. High risk industries like Government, Banking and Healthcare score well below global average.
KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, today announced the release of its 2024 Security Culture Report. The report examines how cybersecurity measures related to the human element affect organisations and the way people act and feel at work.
KnowBe4 defines ‘security culture’ as the ideas, customs and social behaviours that influence an organisation’s security and reduces human risk. Security culture is best understood as the collective mindset, practices and norms that shape how an organisation approaches and prioritises security.
KnowBe4's latest Security Culture Report reveals the overall security culture score globally stands at a low-moderate level, a measure based on seven different dimensions of security culture (Attitudes, Behaviours, Cognition, Communication, Compliance, Norms and Responsibilities) across regions and industries worldwide. This was unchanged from the prior year.
In Australia and New Zealand, security culture has increased as a topic of interest in the region with a welcome addition of business units outside of IT, such as HR, at the table. In 2024, Australia recorded a moderate security awareness score of 71 and New Zealand 72, but they continue to trail Europe (73) and North America (73).
Across Oceania, Technology organisations recorded the highest security culture score of
77, above the regional average. Alarmingly, there are six sectors scoring 70 or under: Government (70), Construction (70), Banking (70), Energy and Utilities (69), Education (69), and Healthcare and Pharmaceuticals (67) – in contrast to the U.S. where Insurance, Financial Services, and Banking industries are top performers in security culture due to the high-risk nature of their operations.
The dimension of Cognition is low in both Australia (69) and New Zealand (67), which may indicate a lack of ongoing training that would otherwise increase understanding, knowledge, and awareness. Overall, the region falls behind the global average, indicating a potential to mature security culture across organisations.
“In the past 12 months, Australia and New Zealand have experienced significant data breaches including Latitude Financial and Medibank, which have affected millions of people. The growing understanding of the essential role that security culture plays within any successful organisation is encouraging, but there’s more to do,” said Dr Martin Kraemer, Security Awareness Advocate, KnowBe4. “As more people continue to fall victim and advances like AI add complexity to cybercrime, it is critical for all industries, especially those heavily targeted by cybercriminals, to prioritise security culture and invest appropriately, particularly in reducing human-based risk."
Globally, organisations recognise that employees are a key defence against cyberattacks and that leadership needs to adopt a top-down approach to build a strong security culture. The report shows that smaller organisations are performing better in their overall security culture compared to larger counterparts, primarily because larger organisations often struggle with efficient leadership communication due to their size, whereas in smaller organisations, individuals feel more responsible for security.
The report addresses AI garnering significant attention but not yet impacting the nature of cyberattacks. While bad actors may exploit AI to create sophisticated social engineering tactics, the foundational structure of cyberattacks remains unaltered. This is because attacks will follow the same core formula of social engineering, armed with more efficient tools such as deepfakes and dramatically improved translations. As a result, defences against these cyberattacks would follow a consistent formula of watching out for traditional signs of social engineering. Therefore, using AI's potential to train individuals and enhance defensive measures is a strategic necessity against cybercrime.
To download a copy of KnowBe4’s 2024 Security Culture Report, visit here. KnowBe4 also offers a Security Culture How-To Guide which provides steps and a checklist for organisations to define, build and foster a strong security culture.