New report: Cybersecurity is underprioritized in Danish companies

Danish companies consider cybersecurity important, but at the same time underprioritize it, shows a new report by researchers at the IT University of Copenhagen and University of Southern Denmark. Part of the explanation is that senior managers have little knowledge about the cybersecurity threats, say the researchers behind the report.

ResearchComputer Science DepartmentcybercrimeIT securitymanagementOksana Kulyk

Written 12 January, 2021 08:47 by Vibeke Arildsen

In a new report, researchers from ITU and SDU uncover the challenges of Danish companies in relation to cybersecurity and privacy. The report is based on a survey as well as follow-up interviews with managers, developers, security experts and other employees in both large and small companies.

The study included questions about security policies, security training of employees, daily workflows and how companies integrate security into their products.

The overall picture is that cybersecurity is an underprioritized area. For instance, 48 percent of respondents with an IT security or privacy protection role say that security procedures are not followed in all situations. The most common reasons for deviations are lack of time and resources, influence from management, and interference with the other workflows in the organization.

Among small and medium-sized companies, only 26 percent answer that the company has a dedicated cybersecurity budget, compared with 68 percent of the large companies.

Senior managers have too little insight

One of the main challenges is that senior managers have too little insight into cybersecurity, says Oksana Kulyk, Assistant Professor at ITU:

On the one hand, senior managers recognize that cybersecurity is important and want their business to be protected. On the other hand, many have an outdated view of the cyberthreat and places the responsibility for security on the IT specialists in the company.

Oksana Kulyk, Assistant Professor at ITU

"On the one hand, senior managers recognize that cybersecurity is important and want their business to be protected. On the other hand, many have an outdated view of the cyberthreat and places the responsibility for security on the IT specialists in the company. Management’s lack of knowledge and awareness leads to an under prioritization of the area,” she says.

Management often prioritizes the core business over cybersecurity, but this can end up being costly, says Asmita Dalela, Research Assistant at ITU.

"Cyberattacks pose a risk to the core business, so it is important that senior management is trained in cyber security from a business perspective, so that they understand the business implications of the cyberthreat and are equipped to form a realistic impression of the company's vulnerabilities,” she says.

Trust-based culture

According to Jacopo Mauro, Associate Professor at SDU, cyber​security is a global challenge, and the level of security in Danish companies does not differ significantly from other countries. There are, however, culturally conditioned challenges that are particularly prevalent in Denmark:

Trust is vital, but if management assumes that employees have knowledge and skills in security that they do not in fact have, it is problematic.

Jacopo Mauro, Associate Professor at SDU

“In Denmark, we have a culture with a high degree of trust, and this is reflected in the report. For example, managers trust that developers have control of IT security and do not interfere in their work. During the pandemic, they allow employees to bring laptops home expecting them to keep the data safe.  Trust is vital, but if management assumes that employees have knowledge and skills in security that they do not in fact have, it is problematic,” says Jacopo Mauro.

At the same time, the report shows that the developers do not believe that management prioritizes cybersecurity or provide adequate support in this area. In addition, developers lack cybersecurity training.

"The senior managers that we have talked to say that they are happy to pay for courses in cybersecurity if the employees want them, but developers are not necessarily aware that they need more knowledge. It is also a problem that it is the employee's own responsibility to express this need, especially if they feel that cybersecurity is not a priority for management,” says Oksana Kulyk.

More knowledge is necessary

The researchers believe that it is high time that companies upgrade their cybersecurity measures.

Lack of security in our digital products affects not only the services themselves, but can also lead to security deficiencies in the systems which products are integrated in.

Asmita Dalela, Research Assistant at ITU

“We are in a digital age where we all use technology every day. If there is no control over cybersecurity in the companies that produce our digital products and services, it is very concerning. Lack of security in our digital products affects not only the services themselves, but can also lead to security deficiencies in the systems which products are integrated in,” says Asmita Dalela.

Jacopo Mauro emphasizes that the intention is not to point fingers or blame the companies.

“Cyber​​security is difficult and resource-intensive. The purpose of the report is to understand what goes wrong, why it goes wrong, and how we can help companies and employees achieve better cybersecurity,” says Jacopo Mauro.

“Our results show that both technical and business specialists need more knowledge about cybersecurity. This costs time and money, but it is a necessary cost.”

Further information

Oksana Kulyk, Assistant Professor, email okku@itu.dk

Jacopo Mauro, Associate Professor at SDU, email mauro@imada.sdu.dk

Vibeke Arildsen, Press Officer, phone 2555 0447, email viar@itu.dk