Cybersecurity knowledge grows, but practice lags behind
The survey shows that employees in education and research mainly want clarity on how to process sensitive data and which tools they can use to do so. In addition, they indicate that they do not know how to report security incidents and data breaches.
Importance clear, urgency lacking
Although respondents recognise the importance of information security, many of them do not feel enough urgency to take concrete action. This is partly due to the lack of a strong security culture. Some respondents say it would help if security and privacy rules were less non-committal.
Concrete advice for institutions
With the following advice from the report, you can immediately start working within your institution to increase awareness around cybersecurity:
- Align awareness campaigns with the daily work of your staff, so they recognise situations.
- Make reporting incidents or data breaches as easy as possible, for example by posting short instructions at workstations.
- Invest in training on specific topics, such as dealing with personal data, and thus strengthen the security culture.
- Make security and privacy an integral part of the onboarding process of new employees.
About the awareness measurement
In 2024, over 6,300 respondents from 27 institutions (wo, hbo, mbo, libraries and research institutes) took part in SURF and BDO Cybersecurity's fourth cybersecurity awareness survey. The average score of participating institutions was a 6.7, slightly better than the 6.5 in 2023. In 2022, the score was still a 5.9.
October = cybersecurity month
In the month of October, organisations worldwide pay extra attention to cybersecurity (awareness). On the SURF Security Expertise Centre website, you will find an overview of all activities and interesting content. We will continuously update the overview during the month. If you want to start an awareness campaign within your institution, use SURF's Cybersave Yourself.