Ineffective security awareness training is leaving UK businesses dangerously exposed to the significant consequences of an information security breach, warns Protiviti, the global consulting firm. Despite increased levels of training at both financial services and non-FS businesses, Protiviti warns that for many people, the training is too basic, simply a box ticking exercise, or worse, giving them a false sense of security.
Protiviti’s Security Awareness Survey1, which canvassed 1,000 employees including senior executives, found that four-fifths (81%) of respondents believed they have an average to excellent understanding of modern IT security and risks within their organisation.
However, in a separate Protiviti study2 of senior information security and risk professionals working across a range of UK firms, it was reported that key information security messages are still not getting through to significant numbers of employees, and that good information security practices are still not part of the risk culture at many UK businesses. This is despite recent, high-profile cases of security breaches, often caused by human error and the severe consequences that have followed.
According to senior information security and risk professionals2, around two-thirds (61%) of employees actually have a generally low level of understanding of information security risks and fail to put into practice effective procedures they have been taught in training. Almost three quarters (71%) thought employees had a poor understanding of the positive role they could play in reducing security risks and a majority (57%) said they had noticed no change in employee behaviour after completing security awareness training.
In contrast, according to the Security Awareness Survey1, 93% of respondents that had undergone security training believed that it had made them more aware of information security risks and what they needed to do in order to reduce them. Alarmingly, almost four in ten office workers said they have never had data security awareness training. This figure increases to over half (52%) if you only look at non-financial services organisations. Further, of those that have had training, a third (32%) have only had training in the last 12 months, which is clearly inadequate given the speed with which new information security threats emerge.
Ryan Rubin, Director, Protiviti UK, said: “Many respondents to our survey1 report that they have made significant changes in the way that they work and the way they use technology at home following security awareness training. There is, therefore, value in training, provided it is effective. However, information security training needs to be more focused on employees’ roles and the consequences of information security breaches and less on the basic mechanics of security.”