BreachExchange mailing list archives
Security Awareness Training Missing in Midsize Companies
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 23 Jun 2014 20:22:01 -0600
http://midsizeinsider.com/en-us/article/security-awareness-training-missing-in-m#.U6iZmpRX-uY When a company suffers a data breach or attack on its network, it is easy to point fingers at a nameless outside hacker. However, as a recent CIO article points out, the real problem is when employees fall for social engineering techniques that result in stolen access credentials. Employees are susceptible to social engineering efforts like phishing scams because they have not had security awareness training. No Training at All According to a study by Enterprise Management Associates (EMA), reported by Taylor Armerding at CIO, 56 percent of workers across organizations of all sizes may not receive formal security education despite the fact that four out of every five breaches are caused by employee error. Because they lack proper training, employees are easy prey for sophisticated attacks. The employees lack training for a variety of reasons, says Armerding. David Monahan, research director for security and risk management at EMA, explains that too many organizations simply do not see value in security awareness training, often a signal of poor training programs in general. "Awareness training performed as a seminar, aka 'death by monologue' or 'death by PowerPoint,' will not get the attention and retention needed to affect change," he said. Changing Habits In order to inspire employees to change their habits, the training must include examples of why these habits put the company at risk and why the new procedures will benefit the employee both at work and at home. If the employee understands the consequences that may result from using the same password for multiple sites or clicking on an unverified link, they might think twice before reverting back to old habits. Recent stories concerning high-profile breaches that were caused by employee error have already helped to raise basic awareness of personal data security. The next step is to raise the awareness of why security best practices are equally important in the workplace. Employees already have a personal stake in data breaches that affect their finances or identity, so why not provide a sense of "ownership" in enterprise data breaches? By communicating the actual cost of a breach and how difficult it is for a small or midsize business (SMB) to recover from a network attack, employees may gain a better understanding of just how serious security threats can be. Unfortunately, one obstacle that most SMBs face in regards to security awareness training is who will facilitate the education process. It is the rare SMB that has a security team on staff; security is usually handled by the IT department, which may already be small, overworked and under-budget. One place to start is with free online security training courses. The courses are often hands-on, so no "death by monologue" to worry about. There are also options that allow IT departments to tailor online training courses for their specific business needs. Security training programs that are user-friendly and provide a solid background on why security practices are so important will go a long way in keeping the company's network safe — and keep employees from making expensive mistakes.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Security Awareness Training Missing in Midsize Companies Audrey McNeil (Jun 30)