The Security Culture Report 2021

Welcome to the 2021 Security Culture Report, the fourth annual report of its kind. The Security Culture Report and associated methodology was originally developed by CLTRe, which was acquired by KnowBe4 in 2019, and is KnowBe4 Research’s most ambitious report. The data represented here was collected during the global COVID-19 pandemic and, as such, some findings from our research reflect both positive and negative inflections that may be attributable to pandemic conditions.

Security culture is the ideas, customs and social behaviors of an organization that influence their security. Of 1,161 security leaders surveyed in 2020, 94% reported that security culture is the most important element in their security strategy. This sentiment is reflected in the growth in the number of organizations measuring their security culture.

More than 320,000 employees, in 1,872 organizations around the world have been surveyed in this largest ever study of security culture. While some industries saw security culture stagnate or decline during the pandemic, we were encouraged to see a number of industries use the pandemic as an opportunity to improve.

Security culture is directly associated with reduced risk. In a recently published KnowBe4 Research report, we demonstrated that organizations with poor security culture have a risk that is 52 times higher for employees sharing credentials. As of yet, there are no industries that quantifiably demonstrate a good security culture, which is characterized by a score of 80 points or more. This is worrying when we see a continued growth in the threat level, and a growing number of victims of cybercrime. According to CoveWare, 2020 saw ransomware payments reach an all-time high with organizations across all industries being targeted. The most common method used by hackers to gain access to their target systems is by social engineering.

In their Q4 2020 Ransomware Marketplace Report, the ransomware remediation and analytics firm CoveWare noted that for the first time, phishing surpassed other techniques as the most common tool used by hackers to gain access. As such, organizations around the world—large and small—should expect to see an increase in phishing attacks in the coming years.

Security culture is a critical, need-to-have asset in the security toolbox. By assessing employees’ security awareness, behaviors and culture, organizations can adapt their policies and training programs to the constantly changing threat landscape. The alternative becomes less attractive by the hour: do nothing and see your organization crumble to a halt by ransomware, data theft or business interruption.