A new study by Enterprise Management Associates (EMA) indicates more than half of enterprise employees may not receive any security awareness training.
In a survey of 600 employees sponsored by security training firm Security monitor, 56 percent of employees said they did not get security or policy awareness training from their organizations. This lack of training, the report argues, often results in policy violations and other risky behavior. For example, 33 percent said they use the same password for both work and personal devices. Fifty-nine percent of those surveyed said they store work information in the cloud, where enterprises sometimes do not have the same level of visibility or control over data.
In addition, 58 percent of the survey’s participants said they store sensitive information on their mobile devices – a potentially problematic figure given that 30 percent also admitted to leaving mobile devices unattended in their vehicles. Some 35 percent said they have clicked on an email link from an unknown sender.
“The research results clearly show many security awareness and policy training programs lack the delivery periodicity, content and quality that could increase retention thereby improving security decision made by personnel and reducing risk in their organization,” report author David Monahan, research director at EMA, wrote in a summary of the study. “Company size, budgets and market vertical significantly impact the existence and maturity of the awareness training.”
While 48 percent of respondents reported their organizations measured the effectiveness of security awareness training, 18 percent said the training effectiveness was not measured and 34 percent said they didn’t know. The most common forms of training measurement were training completion (62 percent) and end of training testing (55 percent).
“While today’s organizations continue to harden their infrastructure to protect against the latest cyber threats, this report reveals that they too often fail to arm their employees with the critical information needed to avoid a data breach, prevent phishing, or report a possible security incident,” said Craig Kunitani, COO with Security Mentor, in a statement. “Every organization should make security awareness training part of its defense in depth strategy. Many of our customers report they’ve had great success in educating their staff using our security awareness training program because of our brief, interactive, and informative lessons.”