In the digital economy, company data and processes become the domain of IT services. As a result, IT security and management now represent critical business functions for all companies.
But, to what extent are employees aware of IT services and security policies at their companies?
We surveyed 1,000 full-time employees to understand how companies invest in IT security and how well employees understand and follow their companies' IT security policy.
We found that maintaining an IT security policy educates employees about company security and prepares companies for a security breach.
However, many companies still struggle to overcome an awareness gap among employees, particularly between those at decision-making and entry-level positions, about how their companies handle IT security.
- Over half (52%) of companies have cybersecurity policies.
- More than one-fourth (28%) of employees don’t know whether their company has a cybersecurity policy.
- Nearly half (46%) of entry-level employees don’t know whether their company has a cybersecurity policy.
- Nearly two-thirds (63%) of employees are uncertain whether their company will experience more IT security threats over the next year.
- A majority (56%) of employees feel their company is prepared for IT security threats.
- Employees identify physical theft of company property (17%) as the biggest threat to company security.
We suggest that companies focus on IT security training and onboarding to increase awareness about IT security policy and about potential threats.
Use this report to answer 5 main questions about companies' IT security policies and employee awareness of IT security threats.
- Are employees aware of cybersecurity policies at their company?
- What sentiments do employees have about IT security threats?
- Which companies have a cybersecurity policy?
- Why is it important to have a cybersecurity policy?
- What can companies do to improve IT security awareness?
1. Are Employees Aware of Cybersecurity Policies at Their Company?
Cybersecurity policies are common but not well understood.
Most (52%) companies have adopted cybersecurity policies. However, a significant number of employees are uncertain whether their company has a policy.
More than one-fourth (28%) of employees don’t know if their company has a policy.
Entry-Level Employees Largely Unaware of Company IT Security Policy
Entry-level employees are the least likely to be aware of their company’s security policy. Nearly half (46%) of entry-level employees don’t know if their company has a cybersecurity policy.
Our 2017 survey of IT decision-makers at large companies illustrates a knowledge gap between higher-ranking and entry-level employees. Our research found that 94% of large companies (500+ employees) have cybersecurity policies.
The IT decision-makers surveyed in our 2017 survey are among the most likely to recognize and understand their company’s cybersecurity policy, given their position. Since they also work at large companies, the chances that their company has a policy is also higher.
When IT security knowledge is concentrated among high-ranking employees, it increases the chance that the company does not communicate its IT security policy clearly, said Stephen Scott-Douglas, CIO of Ciklum, a global software engineering and solutions company.
“More aware [employees] at the senior level believe in their own gospel a bit too much. They’ve put a policy in place. They’ve told people the policy exists,” said Scott-Douglas. “The expectation is that it will permeate through the organization and everyone will think it’s important, but I think it sometimes gets lost. It is essential to embed policy and related procedures through education and continued testing.”
If IT security awareness fails to permeate a company’s ranks, a knowledge gap forms between employees at different positions, leaving entry-level employees unaware of how to comply with company security policies.
2. What Sentiments Do Employees Have About IT Security Threats?
Employees simultaneously express uncertainty about IT security threats and confidence in their company’s security preparation.
Employees Are Uncertain About the Number of IT Security Threats to Their Company
Many employees are unaware of the threats their companies will face in the near future. Nearly two-thirds (63%) are unsure whether the number of threats their company faces will increase or decrease over the next year.
Among entry-level employees, an overwhelming 86% don’t know how the number of cyber threats will change in the next year.
Employees’ lack of awareness puts companies at risk for IT security breaches. Both the number and severity of IT security threats will likely increase in the next year.
“Attacks will be more frequent, more voracious, and more sophisticated in breaking through any protection you can put in place,” said Scott-Douglas. “It’s quite a scary thought.”
Malicious actors in the IT realm pose an increasingly drastic threat, and unaware employees are easy targets they can exploit.
Employees Feel Prepared for Security Threats, Despite Lack of Awareness
Employees are generally confident in their companies’ security preparation, despite uncertainty regarding their companies’ cybersecurity policy and the current IT security threat landscape.
Over half of employees (56%) indicate that their company is prepared to address cybersecurity issues.
There is still a good deal of uncertainty in this area as well: Nearly one-third (32%) of employees are neutral or have no opinion about their company’s security preparedness.
The level of security preparation that employees cite may result from how they perceive security threats.
Employees Do Not Consider Threats to IT Services the Most Dangerous to Their Company
Surprisingly, employees consider physical burglary as the biggest threat to their companies, rather than anything related to IT services or security.
Employees identify physical theft of company property (17%) as the primary threat to their company’s security, over unauthorized information sharing (16%) and email phishing scams (13%).
The failure to identify IT security threats as dangerous relates to their tangibility.
“If you have experienced personal theft, or friends or relatives have experienced personal theft, then you become more aware," said Scott-Douglas. "The same applies to information security. There is something about experience that makes it real for people.”
By comparison, IT security threats involve data rather than physical objects, which is easier for employees to perceive as impersonal. This is especially true if a security breach involves the theft of company data, rather than personal information.
3. Which Companies Have a Cybersecurity Policy?
Whether a company invests in a cybersecurity policy corresponds with two main factors: company size and industry.
Large Companies More Likely to Have IT Security Policies
Large companies invest in IT security in two ways: policies and employee training.
Companies with over 50 employees are nearly twice as likely to have a cybersecurity policy (61%) than those with fewer than 50 employees (36%).
Larger companies commonly include security training during employee onboarding and later rely on policy compliance programs to keep employees informed about IT security.
“Larger businesses with well-established compliance training programs are more likely to receive training on information security than small businesses,” said Ian McClarty, president of PhoenixNAP Global IT Services, a Phoenix-based IT services company and management provider.
Onboarding and training allow employees to recognize and understand their companies’ IT security policy and approach.
Industry Regulations and Financial Risk Drive IT Security
Companies that operate in highly regulated and technical industries invest in cybersecurity policies.
Approximately 70% of companies in the business and financial services or information technology (IT) industries have cybersecurity policies – more common than any other industry.
For higher risk and closely scrutinized industries, strict IT security is the standard, and enforced, method of operation.
"The scope and complexity of the policy should be dictated by a risk assessment: Higher risk organizations will need a more thorough policy,” said Robert Gaines, senior manager at Accume Partners, an IT and security compliance company.
Companies within higher risk industries are partially driven by legal necessity to maintain strict security protocols and IT services management.
For example, New York became the first U.S. state to issue formal cybersecurity regulations for financial institutions in August 2017.
Financial stakes also compel companies to commit significant resources to IT security. Accenture’s 2017 Cost of CyberCrime report found that companies that offer financial services suffer the largest cost from cyber crimes.
Given the financial risk of an IT security incident, companies in these industries prioritize security.
4. Why is it Important to Have a Cybersecurity Policy?
Regardless of company size, having a security policy drives awareness and prepares companies for cyber threats.
Security Policy Drives Awareness and Prepares Companies for Cyber Threats
Cybersecurity policies encourage awareness and preparation for IT security threats among employees.
Employees at companies with cybersecurity policies are more likely to:
- Feel prepared for IT security issues
- Think the number of IT security threats will increase over the next year
- Identify IT services concerns as the biggest threat to their company security
Employee knowledge of IT security in each of these areas decreases the likelihood that a company will fall victim to a security breach.
Security Policies Help Employees Recognize IT Security Threats
Employees at companies with cybersecurity policies understand that IT services such as data sharing and email security are the most vulnerable part of their companies.
At companies with cybersecurity policies, just shy of one-fourth (23%) of employees identify unauthorized information sharing as the biggest threat to company security, while 17% identify email phishing, both more than identify physical theft of company property (15%) as the biggest threat.
These employees also display more awareness of the IT threat landscape. Although this group still tends not to know how the number of threats will change in the next year, they are more likely to say the number of threats will increase in the next year – a realistic survey of the IT security landscape.
IT Security Policy Results in Security Preparedness
Because employees at companies with security policies possess an advanced sense of security awareness, they are more confident in their company’s preparedness for IT security threats.
Nearly three-fourths (71%) employees at companies with cybersecurity policies feel prepared to address IT security threats.
By comparison, just one-third (33%) of employees who work at companies without a cybersecurity policy feel prepared for security threats.
The effort of implementing and maintaining a cybersecurity policy helps a company transition from incompetence to awareness, according to Scott-Douglas.
“The sheer act of taking the time to put in place a policy ... is the first step in going from the unconscious incompetence debate around [security] to building your competence to being aware of the threats and taking those threats very seriously.”
The time and focus required to create a policy provide benefits – employee awareness and preparation for IT security threats.
5. What Can Companies Do To Improve IT Security Awareness?
Companies that want to improve IT security awareness among their employees need to require security training for all employees.
Encourage IT Security Awareness at Top of Organization
The security mentality of company decision-makers directly impacts the security awareness of their employees.
Commitment from company leaders is required for effective IT security throughout an organization, said Carl Mazzanti, co-founder of eMazzanti Technologies, a New York IT security consultancy and provider.
“If the CEO is not committed to it, an effective policy is unlikely,” said Mazzanti. “Unfortunately, a recent security breach or loss has a way of motivating CEOs to implement a policy.”
Instead of a reactive policy, Mazzanti suggests proactive encouragement and communication between all levels of a company to foster effective IT security.
Implement Security Training During Onboarding
To effectively communicate IT security policy and threats, and to curb the awareness gap among employees, companies should invest in IT security training during the employee onboarding process.
The root cause of employee unawareness of security threats is a lack of security training during onboarding.
Companies are more likely to include security onboarding for higher-level employees who are considered higher security priorities, which accentuates the awareness gap between employees at different positions.
“Experienced-hire employees often go through an extensive onboarding and orientation process where the cybersecurity policy will be reviewed with them,” said David Gianna, senior manager at Protiviti, a global IT consulting firm. “This may not be the case with entry-level employees who may be considered low-risk to the organization’s security”
In reality, entry-level employees often outnumber high-level employees and are a risk to companies.
Companies should invest in security resources and training for all employees, regardless of position. Company-wide training helps encourage IT security awareness and reduces the gap in understanding between higher-ranking and entry-level employees.
Employees’ IT Security Awareness Depends on Various Factors
IT security awareness depends on employees’ position, company size, and industry.
Employees at large companies and in regulated industries are nearly twice as likely to say their company has a cybersecurity policy.
However, many employees, particularly at the entry-level, are unaware of both their companies’ IT security policy and the severity of IT security threats.
Nearly half (46%) of entry-level employees don’t know if their company has a cybersecurity policy.
Over half (63%) of all employees don’t know whether the number of security threats their companies will face in the next year will increase or decrease.
Despite a lack of awareness, many employees remain confident in their company’s preparedness for IT security threats, partially because more employees consider physical theft of company property more of a threat to company security than any form of IT services or security.
Companies need to invest in a cybersecurity policy. Maintaining a cybersecurity policy and instituting security onboarding for all employees drives awareness of IT security threats among employees.