Workplace security awareness programs lacking in efficacy, says study
In a new survey study, only 50 percent of corporate decision-makers agreed that their company’s current level of employee cybersecurity training actually reduces noncompliant behaviors.
Just because a company offers a cybersecurity awareness and training program to its employees doesn't mean it's necessarily doing enough to change workers' dangerous online behaviors, according to a new report from Experian and Ponemon Institute.
The study, “Managing Insider Risk through Training & Culture,” is based on a survey of 601 IT executives and other corporate decision-makers whose companies provide data protection and privacy courses to their employees. In this survey, a discouraging 60 percent of respondents said that employees at their workplace were either not knowledgeable or had no knowledge at all in cybersecurity, despite the availability of these training programs.
But before pointing the finger at the workers themselves, consider that it might be the training that is inadequate. Indeed, only 35 percent of respondents said that senior executives within their organization placed a high priority on teaching employees about data threats and their consequences. Perhaps it's not all that surprising then that only 50 percent respondents agreed that their company's current level of employee training actually reduces noncompliant behaviors, while only 43 percent believe the training is effective at minimizing loss or theft of confidential data.
Digging deeper, 43 percent said that their corporate training is comprised of merely one basic course, generalized for all employees across all departments. “These basic courses often do not provide training on the risks that lead to data breaches,” the report explains. In fact, only 49 percent of survey-takers said that their company's security course includes lessons on phishing and social engineering. Even fewer said that their training program covers mobile device security (38 percent) and cloud security (29 percent).
That a cybersecurity training course would exclude something as prevalent and pervasive as a phishing attack is at best head-scratching to some experts. “Phishing and social engineering attacks have been shown to result in data breaches. Training programs should show the consequences of these attacks and how to avoid falling prey to them,” said Larry Ponemon, chairman and founder of Ponemon Institute, in an emailed statement to SCMagazine.com.
Moreover, only 54 percent of respondents' companies indicated that corporate security training was mandatory at their place of work. "It just seems unconscionable that you have 60 percent of companies say that employees aren't knowledgeable, but only 45 percent make training mandatory,” Michael Bruemmer, vice president of Experian Data Breach Resolution, told SCMagazine.com.
Even when training is required, many companies have exemptions for certain categories of employees, leaving them susceptible to worker error and also potentially setting a bad example. Of the survey takers who replied that their security programs were mandatory, 29 percent said that C-level executives were excused from participating, while 55 percent said that contract workers were exempted.
Furthermore, only 30 percent of respondents' companies required employees to take or retake the course following a data breach — a stat that's even more worrisome when considering that 55 percent of respondents said their organization had a security incident or data breach resulting from a malicious or negligent employee.