KnowBe4, a leading provider of security awareness training and simulated phishing platforms, has recently published its 2024 Security Culture Report, offering valuable insights into the evolving security situation, particularly within North American organizations. This comprehensive study examines how cybersecurity initiatives related to the human element impact organizational behaviors and attitudes towards security. Defined by KnowBe4 as the collective mindset, practices, and norms influencing an organization’s approach to security, security culture is key to mitigating human-based risks. The report reveals that while the overall security culture score globally remains at a low-moderate level, there is a clear trend toward integrating cybersecurity initiatives beyond just technology controls, highlighting the growing recognition of the responsibility that people bear in promoting a strong security culture.
The 2024 Security Culture Report points out great disparities in security culture performance across various industries in North America. While organizations in the insurance, financial services, and banking sectors demonstrate robust security cultures, smaller organizations outperform larger counterparts, attributed to more efficient leadership communication and a greater sense of individual responsibility. However, despite being prime targets for cybercriminals, sectors such as government, manufacturing, and education struggle to adhere to adequate standards, contributing to a slight dip in the overall security culture score. This disparity emphasizes the need for organizations, especially those heavily targeted by cybercriminals, to prioritize security culture and invest appropriately in reducing human-based risk.
The healthcare and pharmaceuticals sector, characterized by its handling of highly sensitive personal information and stringent compliance obligations such as those mandated by HIPAA, has become acutely aware of the importance of security culture. The industry’s adaptation to evolving healthcare practices, including the widespread adoption of telehealth and remote patient monitoring, has required an increased emphasis on robust cybersecurity measures to safeguard patient data. However, this change has also exposed vulnerabilities within the sector, with cybercriminals seizing the opportunity to target remote workers accessing corporate networks through personal devices.
Despite the sector’s comprehensive understanding of risk management, evidenced by its response to emerging threats, the KnowBe4 report highlights persistent vulnerabilities within the healthcare and pharmaceuticals industry. The sector maintains a consistent performance level, with a security culture score of 73, aligning with last year’s results. However, this apparent confidence belies the fact that the sector remains vulnerable to data breaches, as demonstrated by the IBM Cost of a Data Breach Report 2023, revealing that the healthcare and pharmaceutical industries face the highest average cost of data breaches compared to other sectors. The report further highlights on notable incidents within the healthcare sector, including high-profile cyberattacks such as the breach affecting 11 million patients at the for-profit HCA Healthcare and the ransomware attack on Ardent Health Services, which led to service disruptions across multiple hospitals. Healthcare organizations have also fallen victim to attacks initiated through their vendors and contractors, emphasizing the pervasive vulnerability within the sector. In the pharmaceutical industry, data breaches are primarily attributed to malicious attacks (45%), human error (28%), and IT failures (27%), with threat actors exploiting avenues such as phishing, compromised credentials, and cloud misconfigurations.
While the Healthcare and Pharmaceuticals sector has demonstrated promising improvements in specific dimensions of security culture, including attitudes, behaviors, and norms, there remain critical areas that necessitate improvement. Notable enhancements include single-point improvements in attitudes (76), behaviors (77), norms (74), and responsibilities (69), along with a two-point increase in comprehension (75), indicating an increased understanding of security matters among employees. However, there is still room for improvement, particularly in developing increased awareness and accountability among employees in the areas of cognition (70) and responsibilities. Cultivating a robust security culture becomes a priority to effectively mitigate risks, protect sensitive patient information, and uphold regulatory compliance standards as the healthcare sector continues to withstand with cybersecurity challenges.
