It is no wonder that this is the top concern as on average, the answers to which vulnerabilities consume the greatest amount of time, awareness incidents consumed the most time of the professionals who responded to the survey.
So, while I already admitted that you have to take these results with a grain of sand, you need to ask yourself if your budgets and resource expenditure demonstrate that you are proactively at least attempting to address where your time goes.
Surveys like this should at least cause you to assess how your current priorities and spending match the source of the losses that you face. I wish there was more to this study and this article, however from my experience helping companies with their awareness efforts and their overall security programs, I know first hand that there is a disconnect.
While it may be argued that technical vulnerabilities are not as big of an issue as they are dealt with more effectively and aggressively, and that might be true, resources should be reallocated as appropriate. Also perhaps technical countermeasures can be enhanced to address awareness related issues. For example, multifactor authentication can stop many social engineering attacks.
However the reality is that most organizations address the costly losses with CBT and/or phishing simulations, and leave it at that. While each of them may be part of a security awareness program, it is the non-technical equivalent of saying that a firewall and anti-virus software is good enough for a technical security program.
The issue is that there has to be a comprehensive strategy to mitigate user vulnerabilities. This strategy would typically include CBT and phishing simulations, but is must also include a constant stream of passive and active security awareness efforts. Additionally, there should be a firm analysis of available technologies to see if they can better mitigate user vulnerabilities.
So while this study might not be definitive, it should make you at least pause to consider whether or not your security program is spending a significant amount of time responding to user created incidents, while having security programs that don’t adequately reflect those losses. Hopefully, you will take steps to address those issues, and then you will have to reconsider the focus of your security program later.
Sign up for CIO Asia eNewsletters.