Security Awareness Training: Are We Getting Any Better at Organizational and Internet Security?

2014 was dubbed "the year of the breach" as over a billion consumer records across nearly every industry vertical worldwide were exposed, costing billions of dollars in recovery costs and lost revenue for the affected organizations. Though this was a tough wake-up call, many organizations have seen that technology, though a necessary part of a security strategy, is not able to fully prevent breaches. They see that people are now most often the weakest link in security defense. At the same time, the old strategies of locking down everything so people cannot possibly cause a problem increases worker and business friction to a point that is unacceptable to both, putting security programs, and the security personnel, at-risk. To achieve both security and usability, security teams must create a change in the mentality and even business culture that by making personnel more aware of and vigilant against the various attacks they face on a near daily basis.

For the 2015 Security Awareness Training: Are We Getting Any Better at Organizational and Internet Security? report, EMA surveyed nearly 600 people in North America across the small-to-medium businesses (SMB), midmarket, and enterprise spaces. Respondents represented line of business, IT, and security/fraud/risk across major verticals including education, finance/banking/insurance, government/nonprofit, health care/medical/pharma, retail, and utilities/infrastructure. 

The research revealed that a tremendous shift in awareness training programs has taken place, especially across the previously underserved SMB space. While in 2014 56% of individuals reported they had not received any training from their organizations, in 2015, 59% indicated they had now received some level of training. Many positive trends continued in the research showing the following.

** Training content is becoming more accessible to organizations of all sizes from both a delivery and cost perspective.

** Programs are becoming more effective and have better measurement and management capabilities.

** Due to training, employees are better at recognizing various forms of social engineering.

** Trained personnel recognize that they make better security choices at home as well as at work, further increasing the value of training.

Through awareness, as a collective corporate and Internet populace we are becoming more diligent in detecting and avoiding compromise by social engineering methods, especially phishing attacks. However, attackers are constantly honing their skills and adapting their attack methods. Only through continued diligence and expansion can we be successful in the long run. Program content and delivery must change to include new attack methods and programs must continue to expand to train the other 41% that have not received training as of yet.