This week I attended a webinar about Security Awareness Training hosted by David Monahan, Research Director Security and Risk Management of Enterprise Management Associates.
Some astonishing numbers came out of this study of 600 employees. A whopping 56% of end-users state that they did not get any security awareness training from their employer.
Think about that for a moment, and how that translates in behavior like opening attachments infected with ransomware. Yikes. Next, the other 44% stated that they received their once-a-year training. That is almost just as worrisome, because getting reminded once a year not to click on bad links simply does not hack it (pun intended) these days. Recent scientific research shows that even being reminded every 90 days not to click on phishing links is completely ineffective.
Having no training obviously leads to all kinds of security policy violations, first because they simply do not know about them, and second because they simply don't care. Here are some more hair-raising statistics:
- 59% say they store work information on cloud services
- 58% of respondents say they store company-sensitive information on their personal devices
- 35% of the respondents say they have clicked on an email link from an unknown sender
- 33% say they use the same password for both work and personal devices
- 30% say they leave mobile devices unattended in their vehicles
This is the Internet equivalent of taking candy from strangers. "People repeatedly have been shown as the weak link in the security program," stated Monahan. "Without training, people will click on links in email and release sensitive information in any number of ways. In most cases they don't realize what they are doing is wrong until a third-party makes them aware of it."
Words straight out of my mouth, and I'm glad someone else is confirming the sorry state of affairs with security awareness training.