KnowBe4, a prominent provider of security awareness training and simulated phishing platforms, has released its 2024 Security Culture Report, aiming to analyze the prevailing state of security culture across organizations and its direct impact on cybersecurity measures, acknowledging theimportant role of security culture in organizational cybersecurity efforts. Security culture, as defined by KnowBe4, includes the collective ideas, customs, and social behaviors that shape an organization’s approach to security. It reflects the shared mindset, practices, and norms that influence how security is prioritized within an organization, extending to ingrained habits among staff and demonstrated behaviors in professional settings. This broad concept highlights the importance in employee involvement through evaluations, training, and the refinement of processes and protocols. It emphasizes the adoption of technologies that facilitate adherence to security best practices, emphasizing the importance of establishing a workplace environment where security is integrated seamlessly into everyday operations. The dimensions of security culture, including attitudes, behaviors, communication, compliance, norms, cognition, and responsibilities, provide a structured framework for assessing and improving security awareness and practices. Organizations are encouraged to cultivate a strong security culture by promoting positive attitudes towards security protocols, encouraging responsible behaviors, facilitating open communication channels, improving employee understanding of security issues, and clarifying individual responsibilities in safeguarding the organization against threats.
KnowBe4’s 2024 Security Culture Report reveals that while there is a growing recognition of the importance of security culture, the overall security culture score globally remains at a low-moderate level. Smaller organizations tend to outperform larger counterparts in terms of security culture, attributed to more efficient leadership communication and a greater sense of responsibility among employees. Certain industries, such as insurance, financial services, and banking, lead in security culture due to the high-risk nature of their operations and sustained emphasis on security. However, sectors like government, manufacturing, and education are struggling to maintain adequate standards, partly due to resource constraints. The report also addresses the role of artificial intelligence (AI) in cybersecurity, highlighting its potential to improve defensive measures but noting that it has not fundamentally altered the nature of cyberattacks. Despite the attention AI receives, attacks still rely on traditional social engineering tactics, necessitating a strategic approach to leveraging AI in cybersecurity efforts.
Within the Healthcare and Pharmaceuticals sector, the need for a robust security culture comes from the sector’s handling of highly sensitive personal information and compliance obligations such as those mandated by HIPAA. As the industry adapts to evolving healthcare practices, including increased adoption of telehealth and remote patient monitoring, the demand for stringent cybersecurity measures has increased. However, this change has also exposed the sector to heightened cyber threats. Remote work arrangements have provided cybercriminals with opportunities to target healthcare workers accessing corporate networks via personal devices. Despite the sector’s comprehensive understanding of risk management, evidenced by its response to these emerging threats, the KnowBe4 report highlights the persistent vulnerabilities within the healthcare and pharmaceuticals industry. The sector maintains a consistent performance level, with a security culture score of 73, aligning with last year’s results. However, this confidence hides the fact that the sector is still vulnerable to data breaches, as highlighted by the IBM Cost of a Data Breach Report 2023. Healthcare and pharmaceutical industries consistently rank among the most affected sectors, bearing the highest average cost of data breaches.
The healthcare sector has witnessed several high-profile cyberattacks in recent years, increasing concerns over security vulnerabilities. Notable incidents include the breach affecting 11 million patients at the for-profit HCA Healthcare and the ransomware attack on Ardent Health Services, which disrupted services across multiple hospitals. Healthcare organizations have also fallen victim to attacks initiated through their vendors and contractors, emphasizing the pervasive vulnerability within the sector. In the pharmaceutical industry, data breaches are primarily attributed to malicious attacks (45%), human error (28%), and IT failure (27%), with threat actors exploiting avenues such as phishing, compromised credentials, and cloud misconfigurations. While the Healthcare and Pharmaceuticals sector has demonstrated promising improvements in specific dimensions of security culture, there remain areas that need improvement. Notable improvements include single-point improvements in Attitudes (76), Behaviors (77), Norms (74), and Responsibilities (69), along with a two-point increase in Comprehension (75), indicating an increased understanding of security matters among employees. However, room for improvement persists, particularly in developing increased awareness and accountability among employees in the areas of Cognition (70) and Responsibilities.
While strides have been made in improving security awareness within the healthcare and pharmaceuticals sector, establishing a robust security culture is an ongoing challenge. Organizations must prioritize initiatives aimed at improving employee awareness, accountability, and comprehension of cybersecurity matters to effectively mitigate risks, protect sensitive patient information, and adhere to regulatory compliance standards.
