Awareness measurement education and research 2023: embed awareness organisation-wide
Main conclusions
Employees, as in the 2022 measurement, are convinced of the importance of cyber-safe and privacy-aware behaviour, but have limited motivation to pay attention to it. This is because they lack support within their institution and the lack of clarity on what secure working means in practice. They are reasonably satisfied with the facilities at their disposal, but a strong security-awareness culture is lacking. Respondents were less positive about the role model role of managers compared to last year.
Results across the board better than in 2022
On average, participating institutions scored a 6.5. This is an improvement from the 2022 measurement where the average score was 6.1.
Recommendations
- Ensure that awareness activities and materials connect to daily work in education and research.
Invest in a strong security awareness culture by embedding awareness structurally, organisation-wide and at all hierarchical levels. For example, by making security and privacy a regular part of the onboarding of new employees. - Remove barriers to working safely.
- Invest extra in teachers, researchers and managers.
- Focus on specific themes such as secure software and safe storage and sharing of personal data.
About the measurement
In early 2023, 70 institutions (wo, hbo, mbo, other - including libraries and research institutes) took part in a cybersecurity-awareness measurement as part of SURF's Cybersave Yourself service, in collaboration with BDO Cybersecurity and the Centre of Expertise Cyber Security of The Hague University of Applied Sciences.
October = cybersecurity month
Throughout the month of October, organisations worldwide draw extra attention to cybersecurity (awareness). SURF is no exception. On the SURF Security Expertise Centre website, you will find an overview of all the activities you can follow this month. There you will also find various content divided over three themes: awareness and trends, prevention of cybercrime, first aid in case of cybercrime.