Businesses put a lot of time, money and effort into protecting sensitive corporate and customer data. However, employees may be compromising these security initiatives by engaging in negligent behavior – and most of the time, they are unaware that these actions are contributing to any vulnerabilities. Staff members are often a primary vector for cybercriminals to gain access to the network and important information. That’s why it’s crucial for firms to offer strong security awareness training to all employees. These programs can equip workers with the knowledge they need to minimize organizational risk, as long as they are carried out effectively.
While many firms may be confident about their security efforts, a new survey by Enterprise Management Associates revealed that many employees are still engaging in risky behaviors. In fact, 58 percent of staff admitted to having sensitive information on their personal mobile devices. Additionally, 35 percent of respondents have clicked on a link in an unknown sender’s email, which is a common tactic used in phishing attacks. Another 33 percent said they use the same password for both their work and personal devices, and 30 percent of survey participants admitted they leave their mobile devices unattended in their vehicles.
These findings are undoubtedly concerning to organizations, but who is to blame for this conduct? According to the EMA survey, 56 percent of corporate employees haven’t had any security awareness training from their companies. If workers are not being provided with the right information and resources, they cannot be expected to make secure decisions.
“People repeatedly have been shown as the weak link in the security program,” explained EMA Research Director David Monahan. “In most cases they don’t realize what they are doing is wrong until a third-party makes them aware of it.”
Clearly, these programs have substantial value for organizations. However, the quality of these initiatives is an equally significant consideration. EMA’s study determined that 45 percent of staff members receive security awareness training in just one annual session – hardly adequate for such complex and urgent issues.
So what should companies focus on in these initiatives? Marie White, co-founder, CEO and president of Security Mentor, the security awareness training company that sponsored the report, told SCMagazine.com that training materials should be easy to understand for all employees. It’s also worth noting that as 59 percent of employees said interactivity is an important aspect of their training, it’s in a business’ best interest to make these programs engaging to participants.
As organizations look to ramp up their security awareness efforts, they can use training software to develop highly interactive materials that inform employees about how they can best reduce risk, and then generate quizzes to test their knowledge. Since employers can also track users’ progress within the learning management system, it’s easy to identify which staff members may need additional training or are unclear about what unsafe behaviors could expose sensitive information. One of the best things about online training software is that it can be accessed on a multitude of devices, in any location and at any time. Making security awareness programs more convenient for employees to participate in ensures that they are more likely to complete the necessary training.
Ideally, though, organizations will implement a range of multi-modal materials in their security awareness programs. CSO Online explained that a learning management system is invaluable in these efforts, but it’s also helpful to consider other tools such as posters, simulations and newsfeeds. The source advised taking different generations into account as well. For example, Gen Y workers may connect best to the information when it’s presented through a blog or game. Lastly, the news outlet stressed that enterprises should focus on creativity and enthusiasm in these efforts.