Security Awareness Training Missing in Midsize Companies

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://midsizeinsider.com/en-us/article/security-awareness-training-missing-in-m#.U6iZmpRX-uY

When a company suffers a data breach or attack on its network, it is easy
to point fingers at a nameless outside hacker. However, as a recent CIO
article points out, the real problem is when employees fall for social
engineering techniques that result in stolen access credentials. Employees
are susceptible to social engineering efforts like phishing scams because
they have not had security awareness training.

No Training at All

According to a study by Enterprise Management Associates (EMA), reported by
Taylor Armerding at CIO, 56 percent of workers across organizations of all
sizes may not receive formal security education despite the fact that four
out of every five breaches are caused by employee error. Because they lack
proper training, employees are easy prey for sophisticated attacks.

The employees lack training for a variety of reasons, says Armerding. David
Monahan, research director for security and risk management at EMA,
explains that too many organizations simply do not see value in security
awareness training, often a signal of poor training programs in general.
"Awareness training performed as a seminar, aka 'death by monologue' or
'death by PowerPoint,' will not get the attention and retention needed to
affect change," he said.

Changing Habits

In order to inspire employees to change their habits, the training must
include examples of why these habits put the company at risk and why the
new procedures will benefit the employee both at work and at home. If the
employee understands the consequences that may result from using the same
password for multiple sites or clicking on an unverified link, they might
think twice before reverting back to old habits.

Recent stories concerning high-profile breaches that were caused by
employee error have already helped to raise basic awareness of personal
data security. The next step is to raise the awareness of why security best
practices are equally important in the workplace. Employees already have a
personal stake in data breaches that affect their finances or identity, so
why not provide a sense of "ownership" in enterprise data breaches? By
communicating the actual cost of a breach and how difficult it is for a
small or midsize business (SMB) to recover from a network attack, employees
may gain a better understanding of just how serious security threats can be.

Unfortunately, one obstacle that most SMBs face in regards to security
awareness training is who will facilitate the education process. It is the
rare SMB that has a security team on staff; security is usually handled by
the IT department, which may already be small, overworked and under-budget.
One place to start is with free online security training courses. The
courses are often hands-on, so no "death by monologue" to worry about.
There are also options that allow IT departments to tailor online training
courses for their specific business needs.

Security training programs that are user-friendly and provide a solid
background on why security practices are so important will go a long way in
keeping the company's network safe — and keep employees from making
expensive mistakes.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!