- Protiviti studies show poor correlation between employee perceptions of information security risks and the reality expressed by senior information security and risk professionals
- Almost four in ten (37%) office workers report they have never had data security awareness training - this increases to 52% at non-financial services organisations
Ineffective security awareness training is leaving UK businesses dangerously exposed to the significant consequences of an information security breach, warns Protiviti, the global consulting firm. Despite increased levels of training at both financial services and non-FS businesses, Protiviti warns that for many people, the training is too basic, simply a box ticking exercise, or worse, giving them a false sense of security.
Protiviti’s Security Awareness Survey1, which canvassed 1,000 employees including senior executives, found that four-fifths (81%) of respondents believed they have an average to excellent understanding of modern IT security and risks within their organisation.
However, in a separate Protiviti study2 of senior information security and risk professionals working across a range of UK firms, it was reported that key information security messages are still not getting through to significant numbers of employees, and that good information security practices are still not part of the risk culture at many UK businesses. This is despite recent, high-profile cases of security breaches, often caused by human error and the severe consequences that have followed.
According to senior information security and risk professionals2, around two-thirds (61%) of employees actually have a generally low level of understanding of information security risks and fail to put into practice effective procedures they have been taught in training. Almost three quarters (71%) thought employees had a poor understanding of the positive role they could play in reducing security risks and a majority (57%) said they had noticed no change in employee behaviour after completing security awareness training.
In contrast, according to the Security Awareness Survey1, 93% of respondents that had undergone security training believed that it had made them more aware of information security risks and what they needed to do in order to reduce them. Alarmingly, almost four in ten office workers said they have never had data security awareness training. This figure increases to over half (52%) if you only look at non-financial services organisations. Further, of those that have had training, a third (32%) have only had training in the last 12 months, which is clearly inadequate given the speed with which new information security threats emerge.
Ryan Rubin, Director, Protiviti UK, said: “Many respondents to our survey1 report that they have made significant changes in the way that they work and the way they use technology at home following security awareness training. There is, therefore, value in training, provided it is effective. However, information security training needs to be more focused on employees’ roles and the consequences of information security breaches and less on the basic mechanics of security.”
According to the Protiviti Security Awareness Survey1, training does have an impact on behaviour. Asked how they had changed their behaviour after completing security training, 55% of employees1 said they had become more careful where they leave laptops, phones or USBs. The top five most changed behaviours overall were:
% of respondents who have changed behavior
Being more careful where they leave laptops, phones or USBs
Being more wary with email
Being more wary of applications downloaded
Changing password complexity
Being more wary of photos/ comments on social media
Source: Protiviti Security Awareness Survey 20121
Ryan Rubin, Director, Protiviti UK, said: “We continue to see security incidents arising that could have been easily avoided had better disciplines been followed. People are clearly not heeding the warnings and do not understand the very serious consequences of poor security practice. Many people will ignore rules where the rules are seen as an inconvenience, where it is deemed ‘socially acceptable’ or where there is perceived to be no personal consequences of failing to comply with the rules. For training to be effective, it needs to be tailored to the roles of employees, and many organisations need to review both the nature and frequency of their training. Reporting security breaches and ‘near breaches’ is one good way to help improve security awareness.
“While effective training does have an impact on employee behaviour, for many companies the wake-up call comes only when there is a significant incident, such as a major information security incident. By providing regular information security awareness training, with the right messages conveyed, many organisations can mitigate against the worst of these threats.”
1 Protiviti Security Awareness Survey conducted at the end of September 2012 with 1,000 people from companies with 100+ employees
2 20 senior information security and risk professionals