A new research survey by EMA takes you inside today’s organizations to reveal how employee decisions related to information security can significantly increase organizational risk. The report examines the implementation of security awareness training in government, public and private companies and non-profit groups.
According to employee responses in the survey report:
- 30% leave mobile devices unattended in their vehicle
- 33% use the same password for both work and personal devices
- 35% have clicked on a link in an email from an unknown sender
- 58% have sensitive information on their mobile devices
- 59% store work information in the cloud.
Some of the reported behaviors present inherent risks, while others depend on contributory factors like the failure to use device or data encryption.
Fifty-six percent of corporate employees, excluding security and information technology staff, have not had security or policy awareness training from their organization, while 45% of employees received training in one annual session. Without the foundation of on-going security awareness training, employees don’t receive the critical security information they need to make secure choices.
EMA Research Director David Monahan said: “People repeatedly have been shown as the weak link in the security program. Without training, people will click on links in email and release sensitive information in any number of ways. In most cases they don’t realize what they are doing is wrong until a third-party makes them aware of it.”
“In reality, organizations that fail to train their people are doing their business, their personnel and, quite frankly, the Internet as a whole a disservice because their employees’ not only make poor security decisions at work but also at home on their personal computing devices as well,” Monahan added.
Sixty-six percent of employees responding to the survey said it is important that training materials are easy to understand; and 59% say that interactive activities are important.
“While today’s organizations continue to harden their infrastructure to protect against the latest cyber threats, this report reveals that they too often fail to arm their employees with the critical information needed to avoid a data breach, prevent phishing, or report a possible security incident,” said Craig Kunitani, COO with Security Mentor. “Every organization should make security awareness training part of its defense in depth strategy. Many of our customers report they’ve had great success in educating their staff using our security awareness training program because of our brief, interactive, and informative lessons.”