Security Awareness Training: Are We Getting Any Better at Organizational and Internet Security?
•
1 like•532 views
For the second year in a row, David Monahan, security expert and research director at leading IT analyst firm Enterprise Management Associates (EMA), has delved into the world of security awareness and policy training. His latest research on this topic - with over 600 participating respondents - revealed that a tremendous shift in awareness training programs has taken place, especially across the previously underserved SMB space.
Report
Share
Security Awareness Training: Are We Getting Any Better at Organizational and Internet Security?
- 1. Security Awareness Training: Are We Getting Any Better at Organizational and Internet Security? David Monahan Research Director, Security and Risk Management Enterprise Management Associates http://www.enterprisemanagement.com
- 2. Today’s Presenter David Monahan - Research Director, EMA David is a senior information security executive with several years of experience. He has organized and managed both physical and information security programs, including security and network operations (SOCs and NOCs) for organizations ranging from Fortune 100 companies to local government and small public and private companies. He has diverse audit and compliance and risk and privacy experience such as providing strategic and tactical leadership to develop, architect, and deploy assurance controls; delivering process and policy documentation and training; and working on educational and technical solutions.
- 3. Logistics for Today’s Webinar Slide 3 © 2015 Enterprise Management Associates, Inc. An archived version of the event recording will be available at www.enterprisemanagement.com • Log questions in the Q&A panel located on the lower right corner of your screen • Questions will be addressed during the Q&A session of the event Questions Event recording
- 4. Security Awareness Training: Are We Getting Any Better at Organizational and Internet Security? David Monahan Research Director, Security and Risk Management Enterprise Management Associates http://www.enterprisemanagement.com
- 5. Research Sponsors Slide 5 © 2015 Enterprise Management Associates, Inc.
- 6. Demographics
- 7. Survey Breakout © 2015 Enterprise Management Associates, Inc. 590 Respondents LOB IT Security North American- based Slide 7
- 8. Respondents by Organizational Size © 2015 Enterprise Management Associates, Inc. Enterprise, 41% SMB, 39% Midmarket, 20% Slide 8
- 9. Respondents’ Organizations by Operating Geographies Slide 9 © 2015 Enterprise Management Associates, Inc. 100% 18% 23% 19% North America Central & South America (Latin America) Europe-Middle East-Africa (EMEA) Asia-Pacific (APAC)
- 10. Respondents by Industry Vertical © 2015 Enterprise Management Associates, Inc. Sample Size = 155 Technology & Tech Services, 19% Utilities/ Infrastructure/ Manufacturing, 13% Gov't/ Defense/ Non-Profit, 12% Finance/ Banking/ Insurance, 12% Retail, 11% Non-tech Consulting & Professional Services, 10% Other, 9% Health care/ Medical/ Pharma, 8% Education, 7% Slide 10
- 12. TRAINING IS LACKING WOW! © 2015 Enterprise Management Associates, Inc. 56% 44% 41% 59% No Yes 2014 2015 Slide 12
- 13. 2015 Top 5 Training Topics vs. Top 5 Perceived Most Important vs. Top 5 Largest Perceived Threats Areas Slide 13 © 2015 Enterprise Management Associates, Inc. Top 5 Training Topics Top 5 Most Important Top 5 Perceived Threat Areas Email Security or Phishing Information Handling/Classification or Data Leak/Loss Prevention Information Handling/Classification or Data Leak/Loss Prevention Password Management Email Security or Phishing Email Security or Phishing Privacy Web/Internet Security Web/Internet Security Web/Internet Security HIPAA/HITECH/PHI Identity Theft Wi-Fi Security Privacy Password Management 1. A match in column 1 and column 2 means organizations understand where the largest training gaps are. 2. A match in column 2 and column 3 means participants are getting training that can help us reduce risk the most. 3. A match in column 1 and 3 means that we are applying training to the largest risk areas without necessarily understanding current knowledge levels.
- 14. 2014 vs. 2015 Training Periodicity 43% 12% 30% 9% 1% 2% 5% 65% 46% 14% 18% 7% 3% 0% 9% 2% Annually Semi-annually Quarterly Monthly Semi-monthly Continually Periodically or seemingly randomly Post-incident/event 2014 2015 © 2015 Enterprise Management Associates, Inc.Slide 14
- 15. 2014 vs. 2015 Hours of Training Required © 2015 Enterprise Management Associates, Inc. How many hours of security awareness training are you required by your organization to complete each year? Sample Size = 133 23% 15% 33% 14% 14% 15% 24% 35% 12% 15% > 5 hrs > 3 hrs but <= 5 hrs > 1 but <= 3 hrs <= 1 hr None 2014 2015 Slide 15
- 16. 2015 Perceived Awareness Training Delivery Quality by Organization Size 80% 80% 88% 20% 20% 12% Enterprise Midmarket SMB Positive Experience Negative Experience © 2015 Enterprise Management Associates, Inc.Slide 16
- 17. 2015 Measuring Awareness Training Effectiveness by Role 73% 16% 12% 65% 26% 9% 56% 14% 31% Yes No I don't know IT Security LoB © 2015 Enterprise Management Associates, Inc.Slide 17
- 18. 2014 vs. 2015 Awareness Training Delivery Methods 19% 23% 21% 24% 13% 18% 18% 21% 19% 24% 0% 5% 10% 15% 20% 25% 30% Email Message/Newsletter Interactive, Online/Web-based Lecturer Non-interactive, Online/Web-based Simulated Social Engineering 2014 2015 © 2015 Enterprise Management Associates, Inc.Slide 18
- 19. 2014 vs. 2015 Awareness Training Spend per Person 3% 4% 6% 6% 10% 3% 21% 1% 4% 7% 7% 5% 4% 33% < $5 $10 - $19.99 $20 - $29.99 $30 - $39.99 $40 - $49.99 $5 - $9.99 $50 or more 2014 vs. 2015 Awareness Training Spend per Person 2014 2015 © 2015 Enterprise Management Associates, Inc.Slide 19
- 20. 2014 vs. 2015 Perceived Amount of Training Needed to Perform Role 12% 6% 77% 0% 5% 19% 12% 62% 6% 0% Entirely excessive Somewhat excessive Appropriate Somewhat Insufficient Entirely Insufficient 2014 2015 © 2015 Enterprise Management Associates, Inc.Slide 20
- 21. 2014 vs. 2015 Respondents that Have Clicked a Link from an Unknown Sender (in the last year) 35% 65% 28% 72% Yes No 2014 2015 © 2015 Enterprise Management Associates, Inc.Slide 21
- 22. 2015 Processes for Reporting Security Incidents © 2015 Enterprise Management Associates, Inc. What methods does your organization use to report proprietary/sensitive/confidential business information releases? 32% 43% 21% 4% Phone hotline Email to help desk or security Website Other Slide 22
- 23. 2014 vs. 2015 Motivations for NOT Reporting Data Leakage/Loss © 2015 Enterprise Management Associates, Inc. In your opinion, what are the most common reasons that individuals do not report proprietary/sensitive/confidential business information releases? 31% 32% 35% 2% 35% 36% 27% 2% Embarrassment Fear of getting fired Not knowing the process or who to contact to report it Other 2014 2015 Slide 23
- 24. 2014 vs. 2015 Security Training and Personal Choices Slide 24 © 2015 Enterprise Management Associates, Inc. Lack of training lowers security in not only the business, but the Internet community as a whole. Do you feel that the security awareness training you receive at work influences how you make choices about security outside of work? 83% 17% 84% 16% Yes No 2015 2014
- 25. Summary • Training content is becoming more accessible to organizations of all sizes from both a delivery and cost perspective. • Programs are becoming more effective and have better measurement and management capabilities. • Due to training, employees are better at recognizing various forms of social engineering. • Trained personnel recognize that they make better security choices at home as well as at work, further increasing the value of training. © 2015 Enterprise Management Associates, Inc.Slide 25
- 26. Learn more & access report at www.enterprisemanagement.com