As providers of ethics and compliance training solutions, we never tire of discussing topics like anti-bribery training, sexual harassment training, code of ethics training… and so many more. Lately, we have seen a real uptick in interest from clients and prospects in the area of security awareness training.
As such, news and commentary on the topic has been catching my eye and I’ve encountered some interesting findings.
Given the importance of protecting company data and ensuring a culture of security, and the rise of high profile data breaches at major companies, it’s not surprising that many organizations are now “marketing” security awareness to their employee bases. It’s simply become a critical discipline, which is why this first statistic really had me scratching my head.
1. 56% of Corporate Employees Have Not Taken Security Awareness Training
I found this really confounding. Enterprise Management Associates (EMA) conducted a survey of more than 600 people (non-IT and non-security staff) entitled “Security Awareness Training: It’s Not Just for Compliance,” that revealed more than 56% of corporate employees had not received security or policy awareness training from their organizations.
Why is this alarming? EMA Research Director David Monahan says it well: “People repeatedly have been shown as the weak link in the security. Without training, people will click on links in email and release sensitive information in any number of ways. In most cases they don’t realize what they are doing is wrong until a third-party makes them aware of it… In reality, organizations that fail to train their people are doing their business, their personnel and, quite frankly, the Internet as a whole a disservice because their employees’ not only make poor security decisions at work but also at home on their personal computing devices as well.”
Security awareness training seems to be – at least I perceive it to be – in the purview of IT but should be a big concern for compliance because employees always pose risk. Why? Well, the study shows that they have some really bad habits:
30% leave mobile devices unattended in their vehicles
33% use the same password for both work and personal devices
35% have clicked on a link contained in an unsolicited email
58% store sensitive information on their mobile devices
59% have admitted storing work information in the cloud
Those stats are downright scary.
2. Some Confuse Security Awareness Training With Security Training
According to Steve Ragan, the author of “No Money, No Problem: Building a Security Awareness Program on a Shoestring Budget,” in CSO Magazine, says it’s important to distinguish between information security training and security awareness training or security awareness programs. Information security training gives employees – and tests their knowledge on – a structured set of rules, which is what most auditors will look for when assessing compliance. Alternatively, the goal of security awareness is to modify behavior and keep security top of mind with employees. Another key difference: security training is typically done annually and awareness programs are an ongoing process.
The author makes another good point, which we fully support: awareness programs are not a replacement for solid security infrastructure and policies. Any compliance officer worth his or her salt would agree. Awareness programs area a vital way to augment policies and earn employee mindshare on critical topics, but they are not a replacement for policies which establish guidelines for behavior.
3. There are Seven Reasons Security Awareness Programs Fail
An astute set of authors at CSO magazine, who write frequently on the subject of security awareness, distilled for us the number of reasons why programs fail. I found some of these intuitive and some rather surprising.
Not understanding what security awareness really is – This totally aligns with the last point. Many people don’t understand the difference between security awareness programs and security training.
Reliance on checking the box – Because the compliance standards for awareness are vague, auditors, who generally don’t know much about awareness, will almost always approve the once a year, 10 minute awareness video, as long as it has a quiz at the end and you can verify that all employees have passed the quiz. That really doesn’t measure effectiveness; it’s just checking the box.
Failing to acknowledge that awareness is a unique discipline – As a marketer, I completely appreciate this point. Many compliance awareness programs fail because they’re designed by lawyers who don’t know how to “market” compliance. As the authors put it “Just as you would not want to assign a person with no experience or decent technical ability to maintain a corporate firewall infrastructure, you do not want to hire a person without any awareness experience or communications ability to run an organizational awareness program.”
Lack of engaging and appropriate materials – We have a very talented digital media group and they understand this. If you don’t use materials that engage the employees, the program will fail. Further, what engages older employees in one geography will not work on millennials in another, which is why the best awareness programs utilize multiple media and vehicles.
Not collecting metrics – Like with any other program, how can you measure effectiveness without metrics? Strike that – without the RIGHT metrics? If you track over time, you can see trends and tweak the measurements based on the lessons you learn.
Unreasonable expectations – Expectation-setting… the (corporate) world would be a better place if we all did more of it. Security awareness is very important but it will never prevent every incident. Just as your other compliance training and awareness programs – sexual harassment training, anti-bribery training – they aren’t going to prevent every incident either. They are controls put in place to mitigate risks. There should also be plans in place to limit the impact of failures but that’s for the risk people out there.
Relying upon a single training exercise – I thought this was interesting as well. Apparently many companies only focus on one single type of attack (e.g., phishing) in their security awareness programs. However, that leaves them vulnerable to other types. An awareness program should be more comprehensive and cover multiple types of threats.
One thread that ran through each article was that “people are the weakest link in the security program.” That really encapsulates the ultimate reason why you need security awareness training. It’s similar to something I always say about employees: they are your biggest asset but they are also your biggest source of risk. It’s why training and awareness programs – security awareness being one of them – are so vital to ethics and compliance success.