Does Your Business Require Security Training?

Sue Marquette Poremba

This website caught my eye. It comes from Westfield Insurance and the first sentence ponders the question: Does the company really need information security training? The short answer is, of course, yes:

Setting aside the value-based approach of "doing the the right thing" to keep information secure and private, most people are surprised to learn Information Security awareness and training is a compliance obligation often required by law, industry regulation, and or business contract. Additionally, it is called out in numerous "best practice" frameworks.

That's the right attitude, but one that many companies, especially small and medium-sized businesses, don't put into practice. My colleague Paul Mah wrote about a study co-sponsored by the National Cyber Security Alliance and Symantec:

Perhaps what struck me most was the fact that only 35 percent of SMBs provide training to their employees on the areas of Internet safety and security. Even for SMBs who say they offer training, the majority -- 63 percent -- actually offer less than five hours a year. That's just half a typical work day for you, and we haven't even started nitpicking on the topics covered or the quality of the "security" training yet.

Add to that information posted at InformationWeek:

Firms with fewer than 1,000 employees typically don't have a dedicated security team, unless they're highly regulated. Security functions get delegated to a jack-of-all-trades who has to "deal with" security. Too often, it's ignored by executive managers, who don't expect any real pain from weak security. This leads to an overemphasis on check-box security, like making sure operating systems are patched, and not enough on assessing risks and training end users against them.

So what steps can SMBs take to make sure employees are trained to keep up with information security compliance? An article at Channel Insider suggested starting small, tailoring security training programs around customers who need to fall in line with regulatory mandates, and take advantage of distance learning opportunities with trusted vendors.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Jun 23, 2010 9:37 AM Ashley from Absolute Software Ashley from Absolute Software  says:

Great post Sue!  You really bring up a great point. 

Training is definitely not just for big, complex organizations.  Companies of all shapes and sizes are at risk.  Implementing a training program is a great way to ease any anxiety about how to best manage information security.  The right regimen of in-house training, webinars, and off-site workshops can provide SMBs with the opportunity to manage, and ideally decrease, such risk.

Small businesses also need to understand that when it comes to information security, there is technology available that can make managing computers and mobiles devices much easier and more effective.  I work at Absolute Software, a company that specializes in software and services that provide an easy way to manage and secure computers and mobile devices.  Security products like the ones that we provide, can help small businesses centrally manage their Macs and PCs, automate IT processes, improve compliance and combat theft. 

If you'd like to learn more about our technology and how it can help SMBs, please visit http://www.absolute.com/en/products.aspx

Aug 6, 2010 2:52 PM Muhammad Shafiq Muhammad Shafiq  says:

There is a growing demand for individuals possessing IS audit, control and security skills, CISA is a highly recognized certification program by individuals and organizations around the world.

Tranchulas is offering preparatory online trainings for CISA examination. A certified CISA professional demonstrates proficiency and creates opportunities for any individual affiliated with the field of Information Security. To obtain further information regarding CISA trainings please visit our website:


Any other inquiries can be made at info@tranchulas.com

Sep 30, 2011 2:38 PM Octavian Paler Octavian Paler  says:

I am planning to give some awareness and training program in my company. I would like to know how to develop a security training program for the employees and especially the executives. The executives will also have the chance to take an online degree in business administration paid in full by the company. Actually I am not able to select the boundaries and the limits that should be addressed in the training program, the topic and their relevant depth. So can anyone help me with the material that should be included in the training program?


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.