The Department of Homeland Security took advantage of Cybersecurity Awareness Month to encourage both businesses and end users to improve their security hygiene. After 13 years of this program being in effect and after a long (and growing) list of high-profile cybersecurity incidents, one would think businesses wouldn’t have to be reminded about establishing and keeping up a good security posture.

However, even as general cybersecurity awareness has improved, a recent report from Ponemon Institute found that today’s end users/employees have gotten worse with their overall security behaviors. According to the study, “The Widening Gap Between End Users and IT,” just 39 percent of end users said they follow security protocols to protect business information, a drop from 56 percent in 2014.

There are a few reasons behind this decline in security behaviors, according to the Ponemon study.

Reason 1: a disconnect between IT and end users

One is a widening disconnect between end users and their IT departments. While a decreasing number of employees are practicing good security hygiene, IT departments say the opposite is happening. For example, the study reported that “while 52 percent of IT respondents believe that policies against the misuse or unauthorized access to company data are being enforced and followed, only 35 percent of end user respondents say their organizations strictly enforce those policies.”

Reason 2: leading by (poor) example

Another problem is the lack of support from management. There is a perception that C-level executives aren’t making cybersecurity a priority, and this is creating a trickle-down effect. Since they aren’t being shown by example that cybersecurity is important to the organization, employees and even many IT have ignored good security behaviors.

Reason 3: lingering confusion about security threats

A third issue is that, even while most end users are aware of the need for better cybersecurity, too many still don’t understand what constitutes a security threat. Ransomware, for instance, is perhaps the top security threat this year, with approximately 40 percent of businesses having suffered such an attack in the past year. Yet, when security company AVG surveyed small and medium sized businesses (SMBs), about a third of the respondents said they never heard of ransomware. And, an AVG blog post on the study reported, 68 percent of the respondents who were familiar with ransomware “had very different opinions, many of them inaccurate. When asked to explain the term, it turns out that 36 percent (of the 68 percent) didn’t actually know what it was.” And this is for a type of malware that has been around in one form or another for a decade.

“At a time when one would expect general improvement in end-user hygiene due to increased awareness of cyberattacks and security breaches, this survey instead found an alarming decline in both practices and attitudes,” Dr. Larry Ponemon, Chairman and Founder of Ponemon Institute said in a formal statement. “If an organization’s leadership does not make data protection a priority, it will continue to be an uphill battle to ensure end users’ compliance with information security policies and procedures.”

How SMBs can focus their security efforts

To combat this, said Joe Dahlquist, VP of Product Management at ThreatSTOP, there are two security ingredients that SMBs need to focus on when it comes to their protection–technical and operational.

“Technical is the solution that they choose, its design and implementation. SMBs need a solution that of course fits their budget, but also provides robust protection across their environment. Small teams, especially teams where IT and security are rolled into one, simply don’t have the time to manage multiple solutions that protect their environments in bits and pieces,” Dahlquist explained.

Operational involves the way that SMBs educate their employees on best practices and implementing security controls.

“Using customizable walled gardens is a great way to redirect users away from malicious content while at the same time teaching them,” Dahlquist stated. “For example, let Phil in the warehouse know that clicking on the flashing kitten gif will take him to a bad place and bad things will happen.”

Human behaviors will always play a role in security hygiene. To decrease the risks, cybersecurity needs to become a team sport, where everyone from the highest management levels to IT professionals to every end user works together through better communication and cooperation.