Workplace security awareness programmes lacking in efficacy, says study

In a new survey study, only 50 percent of corporate decision-makers agreed that their company’s current level of employee cyber-security training actually reduces noncompliant behaviours.
In a new survey study, only 50 percent of corporate decision-makers agreed that their company’s current level of employee cyber-security training actually reduces noncompliant behaviours.

Just because a company offers a cyber-security awareness and training programme to its employees doesn't mean it's necessarily doing enough to change workers' dangerous online behaviours, according to a new report from Experian and Ponemon Institute.

The study, “Managing Insider Risk through Training & Culture,” is based on a survey of 601 IT executives and other corporate decision-makers whose companies provide data protection and privacy courses to their employees. In this survey, a discouraging 60 percent of respondents said that employees at their workplace were either not knowledgeable or had no knowledge at all in cyber-security, despite the availability of these training programmes.

But before pointing the finger at the workers themselves, consider that it might be the training that is inadequate. Indeed, only 35 percent of respondents said that senior executives within their organisation placed a high priority on teaching employees about data threats and their consequences. Perhaps it's not all that surprising then that only 50 percent respondents agreed that their company's current level of employee training actually reduces noncompliant behaviours, while only 43 percent believe the training is effective at minimising loss or theft of confidential data.

Digging deeper, 43 percent said that their corporate training is comprised of merely one basic course, generalised for all employees across all departments. “These basic courses often do not provide training on the risks that lead to data breaches,” the report explains. In fact, only 49 percent of survey-takers said that their company's security course includes lessons on phishing and social engineering. Even fewer said that their training programme covers mobile device security (38 percent) and cloud security (29 percent).

That a cyber-security training course would exclude something as prevalent and pervasive as a phishing attack is at best head-scratching to some experts. “Phishing and social engineering attacks have been shown to result in data breaches. Training programmes should show the consequences of these attacks and how to avoid falling prey to them,” said Larry Ponemon, chairman and founder of Ponemon Institute, in an emailed statement to SCMagazine.com.

Moreover, only 54 percent of respondents' companies indicated that corporate security training was mandatory at their place of work. "It just seems unconscionable that you have 60 percent of companies say that employees aren't knowledgeable, but only 45 percent make training mandatory,” Michael Bruemmer,vice president of Experian Data Breach Resolution, told SCMagazine.com.

Even when training is required, many companies have exemptions for certain categories of employees, leaving them susceptible to worker error and also potentially setting a bad example. Of the survey takers who replied that their security programmes were mandatory, 29 percent said that C-level executives were excused from participating, while 55 percent said that contract workers were exempted.

Furthermore, only 30 percent of respondents' companies required employees to take or retake the course following a data breach — a stat that's even more worrisome when considering that 55 percent of respondents said their organisation had a security incident or data breach resulting from a malicious or negligent employee.