Companies aren't doing enough to raise the security awareness of their employees, with 56 percent of corporate employees in a survey by Enterprise Management Associates (EMA) saying they have not undergone security or policy awareness training through their companies.
According to the report, “Security Awareness Training: It's Not Just for Compliance,” 45 percent of employees received their training in a single annual session. But a one-off training session that covers a broad swath of security issues likely isn't effective.
“Training has to be understandable and engaging to the end user,” Marie White, co-founder, CEO and President of Security Mentor, the security awareness training company that sponsored the report, told SCMagazine.com. “Sixty-six percent said it was important that training is easy to understand.”
Organizations often skimp on training as a way to save money — a significant number of those surveyed thought they were spending $50 per person per year, a figure that David Monahan, research director at EMA, says would be prohibitive if accurate, which he's confident it's not. Cost is of particular concern to SMBs, yet they are increasingly becoming targets of attack and exploitation.
“They're working with cutting edge technology and their people are not trained,” Monahan told SCMagazine.com. “They're ripe for the picking.”
For those companies training employees for compliance purposes, just showing up may count as complying. Monahan says the survey shows that for “62 percent, training effectiveness is measured by the fact that they completed the course” and the appropriate box was checked off.
Clearly companies must do more, given the gaps the survey uncovered in employee understanding of security vulnerabilities and the mistakes they make that can leave information vulnerable to attacks and, as one CTO proved earlier this year, fall victim to phishing campaigns.
For instance, “35 percent said they clicked on an email from an unknown source and 33 percent have the same password for both work and personal devices,” says White, while “30 percent still leave mobile devices unattended in their car. They need to know why security is important.”
But Monahan says the survey results indicate that users “don't know enough about data and how to handle it and they don't realize how sensitive it is.” The survey found that only 58 percent say they have sensitive information on their mobile devices, which doesn't gibe with the large percentage of users who say they use their mobile devices at work and regularly access and use email from those devices.
Until organizations up their training efforts, those gaps will continue to exist and even widen, given the growing number of security threats that most companies face today.
“How can we expect organizations to be more secure and people to be more secure on the Internet, if we are not training them?” Monahan said.