These results are particularly troubling when you consider that some level of data protection and privacy training is in place within each respondent’s organization. Clearly, efficacy is an issue, as the survey reflects: only 50% of respondents agree that their current approach actually reduces noncompliant behaviors, and even fewer (43%) feel the training helps to minimize loss or theft of confidential data.
Time to Up Your Security Education Game
We’ve long cautioned that effective security awareness and training is about more than checking a box. The Ponemon study reflects a clear need to implement a more effective approach to end-user risk management. Here are ways to up your game:
|Study shows…||You should…|
|43% of cyber security education programs consist of one basic course. Critical areas of risk — including those that lead to breaches — are often ignored.||Implement a continuous training approach that keeps security top-of-mind year round and allows you to cover multiple topics in “digestible” chunks.|
|Many organizations exclude certain employee segments from participating in cyber security training, including contract workers (55%), part-time employees (40%), and CEOs/C-level execs (29%).||Train at all levels and strive for a top-down approach to cyber security education. Every employee is a potential point of entry, and the C-suite has been increasingly targeted in business email compromise (BEC) attacks.|
|67% of organizations do not incentivize employees to be proactive about protecting sensitive data and systems.||Consider using gamification to make your program more engaging and rewarding for end users.|
|70% say that lack of in-house expertise is a reason it is difficult to reduce the risks related to negligent or malicious employees.||Partner with a leader in the computer-based security training space who can help you design and implement an effective program. Explore managed services options if administrative resources are an issue.|