Ineffective security awareness training is leaving UK businesses dangerously exposed to the significant consequences of an information security breach
Go deeper with GlobalData
The Protiviti Security Awareness Survey, released on 4 December, found that almost four in ten (37%) office workers have never had data security awareness training. This figure increases to 52% at non-financial services organisations.
Moreover, while four-fifths of respondents believe they have an average to excellent understanding of modern IT security and risks within their organisation, senior information security and risk professionals disagree, saying that around two-thirds of employees actually have a generally low level of understanding of information security risks.
Despite increased levels of training at both financial services and non-FS businesses, for many people, the training is too basic, simply a box ticking exercise, or worse, giving them a false sense of security.
The Security Awareness Survey canvassed 1,000 employees including senior executives and found that four-fifths (81%) of respondents believed they have an average to excellent understanding of modern IT security and risks within their organisation.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataHowever, a separate Protiviti study of senior information security and risk professionals working across a range of UK firms, reported that key information security messages are still not getting through to significant numbers of employees, and that good information security practices are still not part of the risk culture at many UK businesses.
This is despite recent, high-profile cases of security breaches, often caused by human error and the severe consequences that have followed.
Many respondents to our survey report that they have made significant changes in the way that they work and the way they use technology at home following security awareness training.
There is, therefore, value in training, provided it is effective. However, information security training needs to be more focused on employees’ roles and the consequences of information security breaches and less on the basic mechanics of security.
The Security Awareness Survey highlights that training does have an impact on behaviour. Asked how they had changed their behaviour after completing security training, 55% of employees said they had become more careful where they leave laptops, phones or USBs.
The top five most changed behaviours overall were:
% of respondents who have changed behaviour:
- Being more careful where they leave laptops, phones or USBs 55%;
- Being more wary with email 46%;
- Being more wary of applications downloaded 45%;
- Changing password complexity 39%, and
- Being more wary of photos/ comments on social media 37%.
Source: Protiviti Security Awareness Survey 2012
We continue to see security incidents arising that could have been easily avoided had better disciplines been followed. People are clearly not heeding the warnings and do not understand the very serious consequences of poor security practice.
Many people will ignore rules where the rules are seen as an inconvenience, where it is deemed ‘socially acceptable’ or where there is perceived to be no personal consequences of failing to comply with the rules.
For training to be effective, it needs to be tailored to the roles of employees, and many organisations need to review both the nature and frequency of their training. Reporting security breaches and ‘near breaches’ is one good way to help improve security awareness.
While effective training does have an impact on employee behaviour, for many companies the wake-up call comes only when there is a significant incident, such as a major information security incident.
By providing regular information security awareness training, with the right messages conveyed, many organisations can mitigate against the worst of these threats.
Ryan Rubin is a director of Protiviti (www.protiviti.com), a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit.
