Security Training at Most Companies is Woefully Lacking

Human error and lack of internal security awareness are the biggest sources for data breaches and risk to organizations. Yet 78% of SMBs conduct security training just once a year (or less).

According to Shred-it’s 2016 Security Tracker survey (conducted by Ipsos), US companies are failing to prioritize employee training to mitigate fraud and breaches. It’s not just a small business problem either: Half (51%) C-suite respondents report they only conduct employee training for information security practices once a year or less as well.

Given that experts suggest employees can forget 90% of training information within a week, training once a year is a wildly insufficient practice for effective security awareness.

Shred-It suggests a multipronged strategy:

  1. Commit to a Culture of Security:When management demonstrates a commitment to information security, employees are more likely to follow suit.
  2. Repetition and Frequency is Key:Training should occur throughout the year and include various modules on organizational information security policies.
  3. Out of Sight, Out of Mind:Place visual cues throughout the office to remind employees of their responsibilities in protecting confidential information.
  4. Go Where your Employees Are:A growing number of employees are now working outside of the traditional office environment. Ensure training addresses the safe usage of confidential information for both office and remote workers.
  5. Embed it:Make security best practices a seamless part of daily tasks.

This is a great summary of actions to enhance security awareness for employees by Tara Seals. Where Andrew Lenardon is focussing in process improvement actions management should act on, I think that preventing employees to become the weakest link is key. Also we have to think more creative about how to enhance their professional knowledge on this subject.

See for our vision and support offering on this interesting theme our website: