The Danish culture of trust is a problem for cybersecurity

By Birgitte Svennevig, birs@sdu.dk, 1/12/2021

The new report from the IT University of Copenhagen and the University of Southern Denmark shows that Danish companies see cybersecurity as important but give low priority to the area. According to the researchers behind the report, part of the explanation is that chief executives have too little knowledge about the cyber threat.

48 percent of those responsible for IT security or data protection answer that security procedures are not complied with in all situations. The most common reasons for this are lack of time and resources, management influence, and that the procedures interfere with the organisation’s other working procedures.

And then there is the special Danish culture of trust:

When employees take laptops home

– In Denmark, we have a culture with a high degree of trust, and this is also reflected in the study. Managers, for example, trust that developers are in control of IT security and do not interfere in their work. Now during the pandemic, managers let employees take their laptops home and expect that data security is under control. Trust is essential, but if managers assume that employees have knowledge and skills in security that they don’t have, it’s problematic, says Jacopo Mauro, associate professor at the Department of Mathematics and Computer Science, University of Southern Denmark.

At the same time, the report shows that, according to the developers, management does not prioritise cybersecurity and does not provide adequately support in this area. In addition, developers lack training in cybersecurity.

– The managers we have spoken to say that they’ll be happy to pay for cybersecurity courses if employees demand them, but the developers are not necessarily aware that they need more knowledge. It’s also a problem that it’s the responsibility of the employees to express the need, especially if they feel that cybersecurity is not a management priority, says Oksana Kulyk, assistant professor at the IT University of Copenhagen.

Dedicated budget for cybersecurity

The report is based on a survey as well as follow-up interviews with managers, developers, security experts and other employees in both large and small companies.

Among other things, the researchers have asked about security policies, training of employees in cybersecurity, daily working procedures, and how companies incorporate security into their products.

Among small and medium-sized companies, only 26 per cent answer that the company has a dedicated budget for cybersecurity. The same is true for 68 percent of the large companies.

How can this get better?

According to Oksana Kulyk, one of the main challenges is that managers have too little insight into cybersecurity.

– On the one hand, managers recognise that cybersecurity is important, and they want their business protected. On the other hand, many have an outdated view of the cyber threat and place the responsibility for security on the IT specialists in the company. The management’s lack of knowledge and awareness result in low prioritisation of the area, she says.

Jacopo Mauro emphasises that researchers are not out to point the finger at or blame companies.

– Cybersecurity is difficult and resource demanding. The purpose of the report is to understand what’s going wrong, why it’s going wrong and how we can help companies and employees achieve better cybersecurity, he says.