This is how bosses rate the IT security awareness of their employees
As part of a large-scale management study on the topic of IT security, Sophos also examined the awareness of this important factor among company managements and workforces. It shows that the human factor as a potential source of danger is already being intensively taken into account.
For IT security awareness in companies, there is no ready-made standard kit that you purchase once, install and update from time to time. IT security must be understood as a process that must be continually adapted to changing conditions. Engineering and technologies (such as AI) help with this. At the end of the IT usage chain, however, is the human being, who carries out his or her activities with the help of computers and devices. And this is where IT security becomes vulnerable. Because the human factor always plays a decisive role when it comes to vulnerabilities.
But how do company managements in Germany, Austria and Switzerland view this? Do they trust their employees to recognize a phishing email that looks deceptively real? Do they surf via the company VPN during their breaks in the home office, thus endangering the company's IT? How high is IT security awareness among the workforce? Sophos wanted to know this, among other things, from senior and higher managers (C-level) in the three German-speaking countries. On behalf of Sophos, the opinion research institute Ipsos surveyed around 200 managers from the retail, services and manufacturing sectors. The survey was graded according to the German system, i.e. the top grade in each case is a 1.
Scores for IT security awareness: German bosses 2, employees 3
Across all industries, German managers attest themselves a very high (35.3 percent) to high (46.3 percent) awareness of IT security. Company size certainly plays a role in self-assessment: in larger companies (200 employees and more), 30.2 percent of managers give themselves a grade of 1, while the figure for smaller companies (50-199 employees) is 37.2 percent. If we compare the sectors, it is particularly the retail sector where 38.7 percent of managers believe they have a very high awareness of IT security.
German managers are somewhat stricter when it comes to assessing their teams: the majority (41.8 percent) only give them a grade of 3 - Satisfactory. The highest marks for employees were awarded by bosses from the service sector (11 percent). Here, too, the size of the company plays a role in the assessment: bosses of up to 199 employees consider the safety awareness of their workforce to be very high, with 10.8 percent. Managers at companies with over 200 employees give the top score to only 5.7 percent of their workforce. They even give the grade 5 to 3.8 percent, while smaller companies only attribute such a low level of IT security awareness to 0.7 percent of their employees.
Managers of large Austrian companies more often give themselves and the workforce a 1
By contrast, the picture is somewhat different in Austria. While, as in Germany, the majority (45.3 percent) also give their staff a 3, the proportion of top marks is higher overall than in Germany: here, 13.2 percent give their teams a straight 1 in the area of cyber awareness. And while in Germany the larger companies have a more critical assessment, in the Alpine republic it is the other way around: 17.6 percent of companies with more than 200 employees give them a 1 or 2 in security awareness.
At 41.5 percent, Austrian managers attest to a very high level of IT security awareness, while 39.6 percent attest to a high level of IT security awareness - better than the self-assessments of German managers. Similar assessment ratios can be seen when looking at company sizes: In large companies, 52.9 percent of managers rate themselves with a 1, while in smaller companies the figure is 36.1 percent.
Swiss managers give themselves a 2, employees a 2-3
The safety awareness of management in Switzerland is rated at the highest average of 45.1 percent with a score of 2. A little more in smaller companies (46.9 percent) and a little less in large companies (42.1 percent). The highest grade is awarded by 39.2 percent of Swiss bosses (47.4 percent in the manufacturing sector). Large companies give themselves a 1 and a 2 with the same rating (42.1 percent each).
35.3 percent of Swiss decision-makers (26.3 percent in large companies, 40.6 percent in smaller ones) rate the safety awareness of their employees as 3 and thus satisfactory. Larger companies give their staff an even 2 (36.8 percent, average 29.4 percent).
Training as the most important additional safety measure
For every second company in Germany, employee training is the most important measure for improving cybersecurity in the company. The majority of companies are aware that people are a critical factor in cybersecurity. When asked what measures the decision-makers in their companies are taking for their cybersecurity, employee training has been in first place for at least two or three years, at 55.7 percent. The manufacturing sector in Germany has been particularly committed to training for several years, at 64.6 percent, while the majority of the retail sector has only been training its teams in this regard for about a year (41.9 percent).
In neighboring Austria, bosses have also been investing in their employees' safety skills for at least two or three years as the most important of their protective measures, at 64.4 percent. In retail, this figure is lowest at 44.4 percent. Around one in five companies has been holding employee training courses for just one year (20.8 percent). Again, there is a stark difference between manufacturing (27.8 percent) and retail (11.1 percent), with retail reporting that 33.3 percent plan to do so.
The Swiss also see workforce training as the most important measure for improving cyber security, with 66.7 percent in first place, and have been doing this for at least two or three years. The Swiss manufacturing sector is well above average here at 84.2 percent, while retail is well below at 37.5 percent and service providers are close to average at 62.5 percent. Company size is not a decisive parameter in Switzerland and deviates only marginally from the average.
Summa Summarum: Satisfactory IT security awareness probably acceptable
Overall and across all three countries, the executives in Germany, Austria and Switzerland attest to a fundamentally positive and responsible approach to IT security on the part of themselves and their teams - although there is still room for improvement. The Austrian example stands out positively, with a more benevolent approach to itself and its employees, while company management continues to maintain awareness with regular training.
The bosses in Germany and Switzerland have a very similar opinion of themselves and their employees. Team training has also been one of the most important security measures for years; Switzerland even records the highest value here, while just like in Germany, it only gives the workforce a satisfactory rating in their IT security awareness. There may be several reasons for this discrepancy between capability attribution and training - perhaps the training is not yet as efficient as hoped, or a longer training phase is needed. Perhaps, after years of training in many cases, a "satisfactory" must be accepted for the time being as sufficient awareness of enterprise IT security - especially in light of increasingly tricky attack tactics such as phishing emails or social engineering. In any case, training is and will remain a very important building block for corporate IT security. Bosses are aware of the vulnerability of people in the system and show commitment to improving it with appropriate measures.
Source: Sophos
