This website caught my eye. It comes from Westfield Insurance and the first sentence ponders the question: Does the company really need information security training? The short answer is, of course, yes:
Setting aside the value-based approach of "doing the the right thing" to keep information secure and private, most people are surprised to learn Information Security awareness and training is a compliance obligation often required by law, industry regulation, and or business contract. Additionally, it is called out in numerous "best practice" frameworks.
That's the right attitude, but one that many companies, especially small and medium-sized businesses, don't put into practice. My colleague Paul Mah wrote about a study co-sponsored by the National Cyber Security Alliance and Symantec:
Perhaps what struck me most was the fact that only 35 percent of SMBs provide training to their employees on the areas of Internet safety and security. Even for SMBs who say they offer training, the majority -- 63 percent -- actually offer less than five hours a year. That's just half a typical work day for you, and we haven't even started nitpicking on the topics covered or the quality of the "security" training yet.
Add to that information posted at InformationWeek:
Firms with fewer than 1,000 employees typically don't have a dedicated security team, unless they're highly regulated. Security functions get delegated to a jack-of-all-trades who has to "deal with" security. Too often, it's ignored by executive managers, who don't expect any real pain from weak security. This leads to an overemphasis on check-box security, like making sure operating systems are patched, and not enough on assessing risks and training end users against them.
So what steps can SMBs take to make sure employees are trained to keep up with information security compliance? An article at Channel Insider suggested starting small, tailoring security training programs around customers who need to fall in line with regulatory mandates, and take advantage of distance learning opportunities with trusted vendors.