Reaction to Social Engineering Indicative of Cybersecurity Culture

During COVID-19, threat actors used fear of the virus and hope of a vaccine to trick unwitting victims into downloading malware or giving up their credentials. It was a master class in social engineering, one that put an organization’s security posture at risk. Social engineering attacks like phishing take advantage of an employee’s awareness of basic cybersecurity best practices (or lack thereof), and the harder an employee falls for the scams, the greater the skepticism about the entire organization’s cybersecurity culture.

Although no one has come up with an industry standard definition of cybersecurity culture yet, Infosec explains that “a strong cybersecurity culture is based on employees willingly embracing and proactively using security best practices both professionally and personally.” And Infosec developed a framework, and fielded a survey, to help organizations quantify their cybersecurity culture, track changes over time and systematically measure results.

The study polled 1,000 working individuals to examine the collective approach of an organization’s security awareness and behaviors toward cybersecurity. “The results show employee beliefs toward cybersecurity vary widely, which can have a major impact on an organization’s security posture,” said Jack Koziol, CEO and founder at Infosec, in a formal statement.

Quality of Culture Depends on Company Size and Industry

The strongest cybersecurity cultures are found in large organizations with more than 50,000 employees, within security and IT departments and the law/legal services industry. Very small companies with fewer than 100 employees, distribution departments and the agriculture industry fall at the opposite end of the spectrum. However, employees seem to understand the importance of a strong security posture within their organization, as 66% said they would likely face serious consequences if they were responsible for a breach and 74% said they believe they’d be taken seriously if they reported a cybersecurity incident or issue. A positive sign for organizations building a strong cybersecurity culture is that seven in 10 respondents think security awareness training is valuable and will help employees keep security in mind both at work and home.

Bad Habits Die Hard

Saying that security training is a tool they would continuously use is one thing; actually following through with training is another. Most employees struggle to identify social engineering and phishing attacks, it appears.

“What we’ve found in most cases is that organizations are very reactive to social engineering attacks, but most cultural changes that come as a result of the attacks are short-lived,” Keatron Evans, principal security researcher, instructor and author with Infosec, said in an email interview.

“For example, we have clear data that shows that within 45 days after a successful phishing campaign, users are very aware and do a good job of screening emails, phone calls and adhering to other anti-social engineering recommendations,” Evans stated. “However, when we check again after 60 days or so, we find that these same users have largely reverted back to their old habits.”

Having security training is a good first step toward addressing this issue, but the training can’t be intermittent or a one-time shot. Evans said that continuous security awareness training is the most effective and recommended way to build a culture of security at your organization.

Changing culture is something that must evolve, and that includes the cybersecurity culture within an entire organization. A continuous, guided cultural transformation over time is more effective than a one-off campaign or cultural shake down.

“I think the organizations that regularly fall victim to phishing scams are often a result of an ineffective security culture, which can, in turn, affect their cultural norms when it comes to security,” Evans said. “If the successful scams don’t cost significant loss or public relations damage to the organization, the organization will often become numb or desensitized to the attacks and adopt the ‘just part of doing business’ mindset.”

As employees embrace cybersecurity culture, leadership must do so as well, and that includes having open conversations about the bad as well as the good.

“If an employee is phished, reports it to security and is later heavily reprimanded, employees may be less likely to report similar incidents in the future,” Evans said. “This is why it is imperative that leadership be proactive in driving the security awareness message from the top down in the organization and showing commitment to maintaining good security posture—and culture.”

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba