Operations // Careers & People
4/10/2014
08:00 AM
Tim Wilson
Tim Wilson
Quick Hits
Connect Directly
RSS
E-Mail
100%
0%

Majority Of Users Have Not Received Security Awareness Training, Study Says

Many users fail to follow policies on mobile, cloud security, EMA Research study says.

More than half of enterprise employees have received no security awareness training, and that lack of training is resulting in risky behavior, according to a study published Tuesday.

The survey of 600 employees, conducted by EMA Research and sponsored by training firm Security Mentor, indicates that 56 percent of workers say they have not had security or policy awareness training from their organizations. The remainder of employees (44 percent) say they have received annual training.

The absence of training leads to frequent violations of security policy, according to the study. Some 58 percent of respondents say they store company-sensitive information on their personal devices; 59 percent say they store work information on cloud services.

Thirty-five percent of the respondents say they have clicked on an email link from an unknown sender; 33 percent say they use the same password for both work and personal devices; 30 percent say they leave mobile devices unattended in their vehicles.

"People repeatedly have been shown as the weak link in the security program," says EMA Research analyst David Monahan, who authored the study. "Without training, people will click on links in email and release sensitive information in any number of ways. In most cases they don't realize what they are doing is wrong until a third-party makes them aware of it."

The full findings of the report will be outlined in a webcast on Apr. 15.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Bprince
100%
0%
Bprince,
User Rank: Ninja
4/17/2014 | 12:54:05 AM
Re: Security Awareness Training or lack of it
I find it hard to believe Johnrobie that security loses in a risk versus cost argument, but I suppose that given the survey's findings, it is entirely possible. Enterprises can design their own security awareness programs though so I would think that costs could be controlled. In the end, I think security awareness programs should just be another layer of layered security.

http://www.securingthehuman.org/resources/planning
Kwattman
50%
50%
Kwattman,
User Rank: Apprentice
4/14/2014 | 10:23:55 AM
Security awareness best practices
To add to prior conversation, these days, you need to have an employee security education and behavior management program in place which first establishes a baseline phish-prone percentage, then a thorough training program that covers the main attack vectors, and then a constant repetition that effectively influences the behavior of the employee at their place of work, which is right in their inbox they work out of every day.

The security awareness program administrator needs to think like a PR/Marketing manager. They need to promote the program, "sell" it to the whole organization, and make it as easy as possible to deploy the program with the minimum amount of disruption and loss of time.

The easiest way to do this is to send all employees regular simulated phishing attacks using various topics like banking, current events, IT, healthcare, social networking and more. If an employee clicks on a link, they get instant feedback they clicked on a phishing link. These clicks get tracked and reported to the program administrator.  the program administrator can then work with HR to get the employee better trained and if repeated over and over with no change, determine what kind of improvement process needs to take place in alignment with individual company policies. This makes it cooperative and not just an IT problem.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/14/2014 | 9:01:29 AM
Re: Security Awareness Training or lack of it
I really like your idea about making people more aware of their organizations' InfoSec services/solutions in order to help them make better decisions. As an end-user (not an InfoSec pro) I would greatly appreciate whatever assistance the security team can give me that shrinks my "know-do" gap. 
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
4/14/2014 | 8:45:53 AM
Re: Security Awareness Training or lack of it
You could tie this back to individual performance ratings but are able to 100% guarantee that every alert/event generated was intentional and that it was not a result of other factors (ex. malware propogation)?

Could we say that the completion of scheduled awareness training, on whatever frequency, should be mandatory to remain employed?  In that context, most organizations have established this requirement for employee acceptance of the business conduct policies so the addition of security awareness training under this same requirement makes sense.  While there are security topics that must be covered throughout an organization, there might be different levels to this training depending on role or job functions.  Keep it simply and short by making security topics relevant, direct, and in practical (non-technical) language.

Aside from the scheduled awareness training, we have to look for ways to improve the marketting of our InfoSec services/solutions so that our employees are better equipped to make educated decisions and reduce the "know-do" gap.  This strategy can be used to fill the time between schedule training and further educate employees on new and/or existing security best practices, indiustry happenings, or at-home advice.  With employees becoming much more mobile, it would be better to avoid generating "security reports" and focus more on using other means of communication such as informational posters on bulletin boards, rotational advertisements on internal displays, or even online forums to collaborate.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/11/2014 | 1:06:44 PM
Re: Security Awareness Training or lack of it
@JasonSachowski, you hit the nail on the head with your point about making user awareness personal and relevant to people's jobs. But how do you do that? Tie it to job performance? 
JasonSachowski
100%
0%
JasonSachowski,
User Rank: Author
4/11/2014 | 12:47:48 PM
Re: Security Awareness Training or lack of it
Not only should we conduct security awareness using industry best practices but to expand on @Kwattman comments below, we have to make it more personal and relevant to their jobs/lives to make it truly effective.  There is most likely a percentage of every organization's workforce that does not truely understand what services/solutions are offered through their InfoSec teams that they can use to stay secure or even how they as an employee contribute to the overall security posture of their organization.
Kwattman
50%
50%
Kwattman,
User Rank: Apprentice
4/11/2014 | 11:44:09 AM
Re: Security Awareness Training or lack of it
KnowBe4's Kevin Mitnick Security Awareness Training, Wombat, PhishMe are some of the top programs. Gartner is doing an MQ on the field this fall as the need has grown so much and will publish around October. 
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/11/2014 | 11:36:16 AM
Re: Security Awareness Training or lack of it
True statement, once a year is not sufficient. Do you have examples of other programs?
Kwattman
50%
50%
Kwattman,
User Rank: Apprentice
4/11/2014 | 11:32:18 AM
Re: Security Awareness Training or lack of it
Part of the problem is the 1x a year ineffective training gives security awareness a bad name. Users need behavior training that is closely tied with their work flow so they can get used to proper behavior. You have to tie it to something that makes sense to the user for it to be remembered easily. And do it repeatedly. That way it becomes instictive and when the user is rushed or behind in his/her work, they will still take the time to think about what they are doing. But they have to notice - and the only way to get that to happen is to bring awareness up and make it personal. There are some great programs that do this.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/10/2014 | 12:23:11 PM
Re: Security Awareness Training or lack of it
I'm curious to know whether those who received training believed that it was worthwhile. And if not, what they thiink would be more effective. 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.