A new study by Enterprise Management Associates (EMA) indicates more than half of enterprise employees may not receive any security awareness training.
In a survey of 600 employees sponsored by security training firm Security monitor, 56 percent of employees said they did not get security or policy awareness training from their organizations. This lack of training, the report argues, often results in policy violations and other risky behavior. For example, 33 percent said they use the same password for both work and personal devices. Fifty-nine percent of those surveyed said they store work information in the cloud, where enterprises sometimes do not have the same level of visibility orcontrol over data.
In addition, 58 percent of the survey’s participants said they store sensitive information on their mobile devices – a potentially problematic figure given that 30 percent also admitted to leaving mobile devices unattended in their vehicles. Some 35 percent said they have clicked on an email link from an unknown sender.
“Theresearchresultsclearlyshowmanysecurityawarenessandpolicytraining programs lackthe delivery periodicity, content and quality that could increase retention thereby improving security decision made by personnel and reducing risk in their organization,” report author David Monahan, research director at EMA, wrote in a summary of the study. “Company size, budgets and market vertical significantly impact the existence and maturity of the awareness training.”
While 48 percent of respondents reported their organizations measured the effectiveness of security awareness training, 18 percent said the training effectiveness was not measured and 34 percent said they didn’t know. The most common forms of training measurement were training completion (62 percent) and end of training testing (55 percent).
“While today’s organizations continue to harden their infrastructure to protect against the latest cyber threats, this report reveals that they too often fail to arm their employees with the critical information needed to avoid a data breach, prevent phishing, or report a possible security incident,” saidCraig Kunitani, COO with Security Mentor, in a statement. “Every organization should make security awareness training part of its defense in depth strategy. Many of our customers report they’ve had great success in educating their staff using our security awareness training program because of our brief, interactive, and informative lessons.”
Brian Prince is a Contributing Writer for SecurityWeek.Previous Columns by Brian Prince:More Than Half of Enterprise Employees Receive No Security Training: Survey FindsOrbit Open Ad Server Security Hole ClosedMcAfee Outlines Strategy for Securing Internet of Things Spear Phishing Hooked Businesses Big and Small in 2013: Symantec Report Microsoft Patch Tuesday Fixes Critical Bugs as Sun Sets on Windows XP
Tags: NEWS INDUSTRY