Companies aren't doing enough to raise the security awareness of their employees, with 56 percent of corporate employees in a survey by Enterprise Management Associates (EMA) saying they have not undergone security or policy awareness training through their companies.
According to the report, “Security Awareness Training: It's Not Just for Compliance,” 45 percent of employees received their training in a single annual session. But a one-off training session that covers a broad swath of security issues likely isn't effective.
“Training has to be understandable and engaging to the end user,” Marie White, co-founder, CEO and President of Security Mentor, the security awareness training company that sponsored the report, told SCMagazine.com. “Sixty-six percent said it was important that training is easy to understand.”
Organizations often skimp on training as a way to save money — a significant number of those surveyed thought they were spending $50 per person per year, a figure that David Monahan, research director at EMA, says would be prohibitive if accurate, which he's confident it's not. Cost is of particular concern to SMBs, yet they are increasingly becoming targets of attack and exploitation.
“They're working with cutting edge technology and their people are not trained,” Monahan told SCMagazine.com. “They're ripe for the picking.”
For those companies training employees for compliance purposes, just showing up may count as complying. Monahan says the survey shows that for “62 percent, training effectiveness is measured by the fact that they completed the course” and the appropriate box was checked off.
Clearly companies must do more, given the gaps the survey uncovered in employee understanding of security vulnerabilities and the mistakes they make that can leave information vulnerable to attacks and, as one CTO proved earlier this year, fall victim to phishing campaigns.
For instance, “35 percent said they clicked on an email from an unknown source and 33 percent have the same password for both work and personal devices,” says White, while “30 percent still leave mobile devices unattended in their car. They need to know why security is important.”