Study Shows Need for Cultural Shift, Better Security Awareness Training
A recently released research report from Experian and Ponemon Institute is a study in contrasts: organizations acknowledging that insider risk continues to be a significant challenge on the cyber security front while at the same time indicating that their employees are not being given the training they need to reduce those risks.
The results reflected in the Managing Insider Risk through Training & Culture research report are based on a survey of 601 individuals whose organizations provide security awareness training programs and who themselves are knowledgeable about the parameters of those programs. Of those surveyed, 66% feel that employees are the weakest link in the security chain, and 55% indicated that their organization had suffered a security incident or data breach as the result of negligent or malicious end-user behaviors.
It’s unlikely these statistics will be met with surprise, and we agree that end-user risk is real. What is disheartening, however, is the way this risk is being managed. Given that insider threats have been identified and widely acknowledged, it stands to reason that organizations would be prioritizing the issue and attacking the problem head on. However, these results from the research report indicate otherwise:
- Only 35% of respondents said their senior executives have made end-user security awareness and training a priority.
- 60% say their employees are not knowledgeable or have no knowledge of the company’s security risks.
- 43% indicated that their organization’s cyber security education consists of one basic course.
- Only 49% said they teach employees about phishing and social engineering attacks. And just 38% provide education about mobile device security.
Phishing attacks are more prevalent than ever and security incidents are happening at record rates. If you are among the 51% who are not training your end users to identify, avoid, and report suspicious email messages, take a look at our comprehensive Anti-Phishing Training Suite today.
These results are particularly troubling when you consider that some level of data protection and privacy training is in place within each respondent’s organization. Clearly, efficacy is an issue, as the survey reflects: only 50% of respondents agree that their current approach actually reduces noncompliant behaviors, and even fewer (43%) feel the training helps to minimize loss or theft of confidential data.
Time to Up Your Security Education Game
We’ve long cautioned that effective security awareness and training is about more than checking a box. The Ponemon study reflects a clear need to implement a more effective approach to end-user risk management. Here are ways to up your game:
|Study shows…||You should…|
|43% of cyber security education programs consist of one basic course. Critical areas of risk — including those that lead to breaches — are often ignored.||Implement a continuous training approach that keeps security top-of-mind year round and allows you to cover multiple topics in “digestible” chunks.|
|Many organizations exclude certain employee segments from participating in cyber security training, including contract workers (55%), part-time employees (40%), and CEOs/C-level execs (29%).||Train at all levels and strive for a top-down approach to cyber security education. Every employee is a potential point of entry, and the C-suite has been increasingly targeted in business email compromise (BEC) attacks.|
|67% of organizations do not incentivize employees to be proactive about protecting sensitive data and systems.||Consider using gamification to make your program more engaging and rewarding for end users.|
|70% say that lack of in-house expertise is a reason it is difficult to reduce the risks related to negligent or malicious employees.||Partner with a leader in the computer-based security training space who can help you design and implement an effective program. Explore managed services options if administrative resources are an issue.|