“We don’t need no education . . .”
I couldn’t help but think of that line from a Pink Floyd song when I saw the headline on an eSecurity Planet article, “Majority of Employees Don’t Receive Security Awareness Training.”
The article goes on to report on a study by Enterprise Management Associates called Security Awareness Training: It's Not Just for Compliance. The study interviewed 600 people at companies of all sizes, from the very small to the very large, and what it found was that more than half of employees not working in IT or security receive no security awareness training. However, business size did make a difference – midsize businesses fared the worst when it comes to security education.
Not surprisingly, the study also found that employees practice a lot of bad habits that put the organization’s security at risk. According to Softpedia:
For instance, 30 percent leave mobile devices unattended in their vehicles and 33 percent use the same password for both work and personal devices. Furthermore, 35 percent have clicked on a link contained in an unsolicited email, 58 percent store sensitive information on their mobile devices, and 59 percent have admitted storing work information in the cloud.
While the report does a good job covering the basics of the lack of security awareness training and what it means to an organization, the next step is to figure out why it isn’t being implemented. A CSO article suggested that perhaps the problem is that organizations don’t really understand what security awareness training is:
There is a major difference between security awareness programs and security training. Training is about providing a set body of knowledge and typically tests for short-term comprehension. Watching the standard "awareness" video is an example of such training.
The primary purpose of security awareness is to change behavior. There is no test of short-term comprehension. The only "test" is how a person behaves on an ongoing basis in the real world.
Another issue is something I touched on a few months ago – it’s difficult to pass along security awareness to employees if the executives don’t understand basic cybersecurity concerns.
Not everyone in the security world believes that security awareness training is even necessary. As Bruce Schneier wrote in a Dark Reading article:
To those who think that training users in security is a good idea, I want to ask: "Have you ever met an actual user?" They're not experts, and we can’t expect them to become experts. The threats change constantly, the likelihood of failure is low, and there is enough complexity that it’s hard for people to understand how to connect their behaviors to eventual outcomes. So they turn to folk remedies that, while simple, don't really address the threats.
Schneier added that he thinks that the need for security awareness training shows how the computer industry has failed. He may be right on that issue, but saying that doesn’t make our networks any safer. And I’m going to disagree with Schneier’s above statement. I’ve met lots of regular old computer users, and while they aren’t up to speed on all of the latest threats to the network, they are quite capable of understanding how their behavior has consequences if it is explained to them. Maybe basic practices can’t address the threats directly, but they can add one small layer of security that keeps the network a little safer.