Ineffective training leaving businesses exposed, report warns
Ineffective security awareness training is leaving UK businesses dangerously exposed to the significant consequences of an information security breach, consulting firm Protiviti has warned.
Despite increased levels of training at both financial services and non-FS businesses, Protiviti warns that for many people, the training is too basic, simply a box ticking exercise, or worse, giving them a false sense of security.
Protiviti's Security Awareness Survey, which canvassed 1,000 employees including senior executives, found that four-fifths (81 per cent) of respondents believed they have an average to excellent understanding of modern IT security and risks within their organisation.
However, in a separate Protiviti study of senior information security and risk professionals working across a range of UK firms, it was reported that key information security messages are still not getting through to significant numbers of employees, and that good information security practices are still not part of the risk culture at many UK businesses. This is despite recent, high-profile cases of security breaches, often caused by human error and the severe consequences that have followed.
According to senior information security and risk professionals, around two-thirds (61 per cent) of employees actually have a generally low level of understanding of information security risks and fail to put into practice effective procedures they have been taught in training. Almost three quarters (71 per cent) thought employees had a poor understanding of the positive role they could play in reducing security risks and a majority (57 per cent) said they had noticed no change in employee behaviour after completing security awareness training.
In contrast, according to the Security Awareness Survey, 93% of respondents that had undergone security training believed that it had made them more aware of information security risks and what they needed to do in order to reduce them. Alarmingly, almost four in ten office workers said they have never had data security awareness training. This figure increases to more than half (52 per cent) if you only look at non-financial services organisations.
Ryan Rubin, director, Protiviti UK, said: "Many respondents to our survey report that they have made significant changes in the way that they work and the way they use technology at home following security awareness training. There is, therefore, value in training, provided it is effective.
"However, information security training needs to be more focused on employees' roles and the consequences of information security breaches and less on the basic mechanics of security."