It is now common knowledge across the information security industry that human weaknesses, not technological flaws, are what put enterprises most at risk from cyber attacks.
But, it is apparently not common enough throughout the enterprise sector. A recent report by Enterprise Management Associates (EMA) found that 56% of workers may not receive any security awareness training (SAT) at all.
The report, titled "Security Awareness Training: It's Not Just for Compliance," is based on a survey of 600 people working for companies ranging from fewer than 100 employees to more than 10,000.
Any doubts about the need for SAT should have been dispelled by last year's Verizon Data Breach Investigations Report (DBIR), which found that four out of five breaches were caused by stolen credentials usually the result of social engineering attacks or weak passwords. And there is abundant evidence that social engineering attacks have become much more sophisticated, and therefore successful.
Jeffrey Bernstein, executive vice president of Critical Defence, whose firm does post-breach forensic investigations, said he knows first-hand that, "more often than not a human mistake is the root cause of most successful breaches that we investigate."
He said in the social engineering element of penetration tests done by his firm, 75% of the time, "we tricked end-users into doing something they should not have done, like click a malicious link, enter a user name and password, open a malicious attachment, etc."
And that lack of training for a majority of workers shows in their risky behavior. As noted in a SecurityWeek story on the EMA report, about a third (33%) reported using the same password for work and personal devices; just over a third (35%) said they had clicked on an email link from an unknown sender; nearly two thirds (59%) said they stored work information in the cloud; and nearly as many (58%) said they stored sensitive information on their mobile devices.
David Monahan, research director, security and risk management at EMA, who defined the research criteria, noted the obvious problem illustrated by the results of the survey: "Many companies are not doing their part to educate their personnel on how to make appropriate security-focused or risk-based behavioral decisions," he said in a statement. "This creates a gap in the first line of attack their people."
Why such a lack of training? In an interview, Monahan said many companies don't see the value of SAT, "but that is often because they have very poor programs to begin with. They do not use best practices and often take a check-the-box' approach. Awareness training performed as a seminar, aka death by monologue' or death by PowerPoint,' will not get the attention and retention needed to affect change."
Sign up for CIO Asia eNewsletters.