Study Shows Need for Cultural Shift, Better Security Awareness Training

A recently released research report from Experian and Ponemon Institute is a study in contrasts: organizations acknowledging that insider risk continues to be a significant challenge on the cyber security front while at the same time indicating that their employees are not being given the training they need to reduce those risks.

The results reflected in the Managing Insider Risk through Training & Culture research report are based on a survey of 601 individuals whose organizations provide security awareness training programs and who themselves are knowledgeable about the parameters of those programs. Of those surveyed, 66% feel that employees are the weakest link in the security chain, and 55% indicated that their organization had suffered a security incident or data breach as the result of negligent or malicious end-user behaviors.

It’s unlikely these statistics will be met with surprise, and we agree that end-user risk is real. What is disheartening, however, is the way this risk is being managed. Given that insider threats have been identified and widely acknowledged, it stands to reason that organizations would be prioritizing the issue and attacking the problem head on. However, these results from the research report indicate otherwise:

• Only 35% of respondents said their senior executives have made end-user security awareness and training a priority.
• 60% say their employees are not knowledgeable or have no knowledge of the company’s security risks.
• 43% indicated that their organization’s cyber security education consists of one basic course.
• Only 49% said they teach employees about phishing and social engineering attacks. And just 38% provide education about mobile device security.

Phishing attacks are more prevalent than ever and security incidents are happening at record rates. If you are among the 51% who are not training your end users to identify, avoid, and report suspicious email messages, take a look at our comprehensive Anti-Phishing Training Suite today.

These results are particularly troubling when you consider that some level of data protection and privacy training is in place within each respondent’s organization. Clearly, efficacy is an issue, as the survey reflects: only 50% of respondents agree that their current approach actually reduces noncompliant behaviors, and even fewer (43%) feel the training helps to minimize loss or theft of confidential data.

Time to Up Your Security Education Game

We’ve long cautioned that effective security awareness and training is about more than checking a box. The Ponemon study reflects a clear need to implement a more effective approach to end-user risk management. Here are ways to up your game: