There’s no question that there is a need for solid cybersecurity awareness training. Yet, how effective is it, really? A couple of studies I’ve seen recently make it seem like you can provide all of the cybersecurity education you want, but it won’t make any difference if your employees are ignoring whatever they are taught.
Research from CEB found that 90 percent are not following cybersecurity policies that are meant to prevent data breaches and other security threats, and doing so willingly. One of the biggest rule breakers is the use of shadow IT, with employees using their own devices and applications without company permission or approvals. For the employees, it’s about convenience, familiarity and better productivity. For IT and security staff, it’s a potential cybersecurity nightmare. As Brian Lee, Data Privacy practice leader with CEB, told Infosecurity Magazine:
Employees will often work around controls — especially ones they feel are onerous — as a way to make their job easier. This 'rationalized noncompliance' can not only increase privacy risks, but even jeopardize corporate strategy and ultimately growth.
If your employees don’t think that their behaviors and attitudes toward security don’t make an impact, consider this statistic from a NetEnrich survey: Of the respondents who said their company was a victim of a cyberattack, 43 percent said it could have been prevented with better cybersecurity policies in place. But, of course, we also need to add that the policies may be in place, but they aren’t going to work if they aren’t enforced or taken seriously, as eSecurity Planet reported:
Notably, the recent NetEnrich survey also found that 53 percent of respondents see employees, rogue or otherwise, as the greatest source of cyber attacks on companies.
It doesn’t help that cybersecurity professionals are overworked and aren’t able to police employees as well as they’d like. ESG and the Information Systems Security Association (ISSA) surveyed cybersecurity professionals around the world. They found that 55 percent think the shortage of cybersecurity professionals is much worse than we realize (so help isn’t on the way) and 63 percent admit that their own cybersecurity skills and training suffer because of their job demands.
I agree with what Tim Erlin, senior director of IT Security and Risk Strategy for Tripwire, told me in an email comment:
Data protection shouldn’t be an inhibitor to business, but it’s often perceived that way. In many ways, these survey results indicate the failure of IT security to adequately account for the needs of the very businesses they protect. If users are circumventing controls, there’s always a reason why. It may be tempting to believe that it’s simply out of convenience or laziness, but the reality is that everyone has a job to get done, and no one wants to do more work than is required.
Cybersecurity is everybody’s responsibility. I’ve said it many times. While ignoring it might seem to make your work life easier, the consequences only hurt everyone in the long run.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba