A new survey from Enterprise Management Associates (EMA) reveals the relationship between employees’ approaches to information security decisions and the risks posed to the organisation.
The poll encompassed over 600 employees from a range of businesses employing less than 100 staff, up to organisations with over 20,000 employees.
With the aim of understanding security awareness training in a range of sectors including public and private companies, government and non-profit groups, the key findings of the report were:
- 56% of corporate employees, excluding those who work in the security or information functions, have never received any security or policy awareness training
- 45% of those who do receive awareness training said it came in one annual session
Such a lack of security awareness may suggest that employees are likely to engage in potentially risky behaviour and such a hypothesis is borne out by other report findings:
- 59% store work-related information in the Cloud
- 58% keep sensitive information on their mobile devices
- 35% have clicked on links found in email received from an unknown sender
- 33% reuse personal passwords for their work devices
- 30% leave their mobile devices unattended in their vehicles
David Monahan, research Director at EMA, said,
“People repeatedly have been shown as the weak link in the security program. Without training, people will click on links in email and release sensitive information in any number of ways. In most cases they don’t realize what they are doing is wrong until a third-party makes them aware of it. In reality, organizations that fail to train their people are doing their business, their personnel and, quite frankly, the Internet as a whole a disservice because their employees’ not only make poor security decisions at work but also at home on their personal computing devices as well.”
Whilst the report highlights the need for security awareness training it also touches on the quality of such programs too.
In my own experience, and from what I have heard from others, it seems that many organisations still approach such training from a point of believing it is something that they ought to do, rather than actually understanding the benefits on offer to the business of delivering a quality and engaging program.
Security awareness, a simple concept to those who work in the industry, is often seen by other staff as something that is complicated, boring or an interference to usual working practices and so it needs to be offered in a fun and easily understood format.
EMA survey respondents seem to agree with 66% saying that training materials need to be easy to understand and fifty-nine percent saying that interactive activities are a keen aid to learning – sitting somebody in front of a screen with a lame bit of CBT running just isn’t the way forward folks.
With many organisations becoming increasingly aware of the risks of data breaches and other potential security risks I would like to think that they will consider all avenues when hardening their defences. Bolstering infrastructure, patching software, employing competent security personnel, etc. is all well and good, but, it is all for naught if the majority of employees in the business aren’t armed with the basic knowledge required to avoid phishing runs, social engineering attacks and simple techniques for keeping bad code and bad people away from the corporate networks.
If you need security awareness training for your organisation – and lets not forget that even some of the least expected organisations do get caught out by ruses as simple as phishing – then you need look no further than BH Consulting which can provide onsite security awareness training courses tailored to your needs. Our experts will work with you to identify your primary needs and develop a security awareness program specific to you and your organisation. This program can be then delivered via a series of onsite workshops, train the trainer sessions or via an online portal. Learn more here.