Ineffective security awareness training is leaving UK businesses dangerously exposed to the significant consequences of an information security breach. Despite increased levels of training at both financial services and non-FS businesses, for many people, the training is too basic, simply a box ticking exercise, or worse, giving them a false sense of security, warns Protiviti, a global consulting firm.
Protiviti’s Security Awareness Survey, which canvassed 1,000 employees including senior executives, found that four-fifths (81%) of respondents believed they have an average to excellent understanding of modern IT security and risks within their organisation.
However, in a separate Protiviti study of senior information security and risk professionals working across a range of UK firms, it was reported that key information security messages are still not getting through to significant numbers of employees, and that good information security practices are still not part of the risk culture at many UK businesses. This is despite recent, high-profile cases of security breaches, often caused by human error and the severe consequences that have followed.
According to senior information security and risk professionals, around two-thirds (61%) of employees actually have a generally low level of understanding of information security risks and fail to put into practice effective procedures they have been taught in training.
Almost three quarters (71%) thought employees had a poor understanding of the positive role they could play in reducing security risks and a majority (57%) said they had noticed no change in employee behaviour after completing security awareness training.
In contrast, according to the Security Awareness Survey, 93% of respondents that had undergone security training believed that it had made them more aware of information security risks and what they needed to do in order to reduce them. Alarmingly, almost four in ten office workers said they have never had data security awareness training.
This figure increases to over half (52%) if you only look at non-financial services organisations. Further, of those that have had training, a third (32%) have only had training in the last 12 months, which is clearly inadequate given the speed with which new information security threats emerge.
Ryan Rubin, Director, Protiviti UK, said: “Many respondents to our survey report that they have made significant changes in the way that they work and the way they use technology at home following security awareness training. There is, therefore, value in training, provided it is effective. However, information security training needs to be more focused on employees’ roles and the consequences of information security breaches and less on the basic mechanics of security.”
According to the Protiviti Security Awareness Survey, training does have an impact on behaviour. Asked how they had changed their behaviour after completing security training, 55% of employees said they had become more careful where they leave laptops, phones or USBs. The top five most changed behaviours overall were:
- Being more careful where they leave laptops, phones or USBs (55%)
- Being more wary with email (46%)
- Being more wary of applications downloaded (45%)
- Changing password complexity (39%)
- Being more wary of photos/ comments on social media (37%)
“We continue to see security incidents arising that could have been easily avoided had better disciplines been followed. People are clearly not heeding the warnings and do not understand the very serious consequences of poor security practice.
“Many people will ignore rules where the rules are seen as an inconvenience, where it is deemed ‘socially acceptable’ or where there is perceived to be no personal consequences of failing to comply with the rules. For training to be effective, it needs to be tailored to the roles of employees, and many organisations need to review both the nature and frequency of their training. Reporting security breaches and ‘near breaches’ is one good way to help improve security awareness.
“While effective training does have an impact on employee behaviour, for many companies the wake-up call comes only when there is a significant incident, such as a major information security incident. By providing regular information security awareness training, with the right messages conveyed, many organisations can mitigate against the worst of these threats”, concluded Rubin.