The study also revealed a few disturbing disconnects. For example, 60% of the companies surveyed believe that their employees have no significant knowledge of their company’s security risks, despite the fact that the overwhelming majority of companies offer training in this area. This is in stark contrast to the mere 35% of senior management who see employee education on corporate security risks as a priority.
Less than half (46%) of surveyed companies make security training mandatory, but here again, we find another disturbing disconnect. The quality of security training programs varies wildly depending on the company conducting the training. Cloud-based security protocols are only covered in 29% of training courses offered, barely a third (38%) cover mobile device security, and just 49% cover social engineering and phishing attacks, which are far and away the most common and pervasive security threats faced by companies today. Taken together, it’s no wonder that only half of the companies participating in the survey strongly agreed that the security training they offer actually does anything to reduce noncompliant security behaviors.
All of this paints a disturbing picture of the state of corporate security training, but it also points to a tremendous opportunity. If you’re looking for a cost-effective way to improve security at your firm, two things need to happen. First, the company you hire to conduct training needs to be carefully and thoroughly vetted, in order to ensure that the training offered covers the specific risks that your company regularly faces. Second, upper management absolutely must get behind it. One or the other is not enough. In order to be successful, both of these need to be in place to have a successful program.