Despite the number of high profile data breaches in recent years, Singapore employees apparently are scratching their heads over what it means to have a security culture.
Just one third of IT decision makers in the Asian nation understood what constituted having a “security culture”, while 53% of employees admitted to never coming across the term, according to research commissioned by security training provider KnowBe4. Conducted by YouGov over a fortnight last December, the online survey polled 1,009 office workers and 214 IT decision makers in Singapore.
Some 15% of IT decision makers also had never heard of security culture. Amongst 85% of those who recognised it, 73% knew what it actually meant.
And amongst the senior IT executives who understood what it meant, 6% did not believe their organisation needed a security culture. Another 14% said their organisation had such practices in place, but did not know how to successfully attain a security culture.
Asked to define what it meant, 79% of IT decision makers who knew the term pointed to an awareness of security issues, while 71% described it as recognition that security was a shared responsibility across the organisation. Another 57% pointed to compliance with security polices and 47% described as having security embedded into the corporate culture.
Amongst employees, 30% noted that their organisation had not communicated about security culture and 53% had never heard of the term. Some 30% said their company had discussed security culture, though, a lower 23% said they were clear about what it meant and their role.
Another 23% of employees expressed reluctance in approaching their IT team with security-related questions, with 17% describing it as a hassle to do so.
KnowBe5’s Asia-Pacific security awareness advocate Jacqueline Jayne said: “How employees perceive their role is a critical factor in sustaining or endangering the security of the organisation… What they learn and how they incorporate into everyday behaviours and attitudes is completely transferable into their personal lives and will protect their own data.”
“The phrase ‘security culture’ is beginning to find its way into the lexicon of IT leaders, but there is a problem–IT decision makers have vastly different definitions of security culture, which makes it almost impossible to measure and work towards,” Jayne said.
Citing her company’s definition of security culture as “ideas, customs, and social behaviours that influence an organisation’s security”, she added that having a standard definition better enabled discussions around it. “We all know that if you do not measure something, that something does not exist.”
The findings come amidst calls from the Singapore government for its citizens to take responsibility for their own cyber hygiene, so they can better safeguard their devices and not end up putting entire systems at risk. The government in October set up a task force to develop policies and capabilities to combat ransomware attacks, a growing concern for local businesses, and laid out its cyber defence strategy to help individuals arm up on cyber awareness.
Singapore saw a 25.2% climb in scams and cybercrimes last year, hitting 33,669 in reported cases, up from 26,886 in 2021. Scams accounted for the bulk, cheating victims of SG$660.7 million ($501.9 million), a 4.5% increase from SG$632 million in 2021. Phishing, e-commerce, and investment scams were amongst the top five most common tactics used against victims, making up 82.5% of the top 10 types of scams last year. Phishing cases topped the list, with 7,097 reported cases in 2022, up 41.3% from 2021.