The other day, I was in a room full of CIOs, CTOs and CISOs who -- as an ice-breaking activity -- were asked to share a bad security habit. One after the other admitted to bad password hygiene, such as reusing passwords.
I was the only one in the room who used password management software, and that was only because I'd just written an article about it.
If even well-educated security experts mess up when it comes to security, can we really educate average employees to be more security aware?
In a Vanson Bourne survey this spring, IT employees were actually more likely than average to open attachments from unknown senders, download apps from outside the official app stores, click on links in social media sites -- even though they were also more likely to know that this was risky behavior.
Training costs money, and takes employees away from their jobs. If even the best-trained employees are still making bad security decisions, is training just a big waste?
Unfortunately, there's very little data available so far, but from the experiences of individual companies, training can make a difference, if it is done right. That means providing training in small, digestible units, following up with testing and reinforcement, and creating a corporate culture of security by engaging employees at all levels.
Long, comprehensive training classes can create fatigue and cause employees to zone out during the lectures, and forget the content quickly afterwards.
"It's too easy to overburden people with too many security-centric things at once," said Jason Thomas, CIO and HIPAA security officer at Ruston, La.,-based Green Clinic.
But in a regulated field like healthcare, security training is a necessity, even if it annoys employees who'd rather spend their time saving lives.
"Training doesn't have to be classroom-style, eight hours a day," Thomas said.
The Green Clinic sends out short monthly notes about some aspect of HIPAA compliance.
"And then we do a short test on this," he said. "We're not trying to take them away from what they went to school for, which is treating patients, but it is part of being employed in a heavily-regulated organization."
These little educational tidbits are working, he said.
For example, a vendor recently complained about being denied access to equipment.
"A receptionist refused to provide him any details," Thomas said. Instead, she told him that he had to contact Thomas directly.
That's exactly what was supposed to happen, Thomas said.
Sign up for CIO Asia eNewsletters.