Lack of Employee Security Training Plagues US Businesses

Lack of Employee Security Training Plagues US Businesses

Employee security awareness continues to be the subject of a dramatic disconnect: Research reveals that 73% of US employees believe their company provides sufficient training on how to protect sensitive information, while a similar percentage of IT personnel (72%) say that employers are not doing enough to educate employees.

The research, from Clearswift, underscores the need for more collaboration between the executive team, IT, HR and other employees within an organization to ensure the safety of sensitive information and intellectual property (IP), given that improperly trained staff are at risk of clicking on phishing links that invite attackers in, or inadvertently sending out information hidden within documents and metadata.

That’s especially critical considering that 10% of employees have lost a device containing sensitive business information, 12% have used shadow IT without authorization, and 37% of respondents say they have access to information that is above their position in the company. The risk is exacerbated by an uptick in the use of cloud applications like DropBox, Google Drive or Box, in addition to the proliferation of new communications tools in the form of social media and personal devices being used for work.

Further, a full 56% of employees in the US have access to intellectual property at work—but less than half (45%) recognize that intellectual property could damage their company if leaked. This can include new code for software products, trade secrets, designs or strategic plans, and can be very costly to lose if it is not yet protected by patents.

“The value of a company’s IP is frequently misunderstood. First off, IP comes in many guises and it’s essential for organizations to recognize ‘what’ their IP is; where it exists and who has access to it,” said Heath Davies, CEO at Clearswift. “IP is often a company’s most prized possession, if it were to fall into a competitor’s hands, or even unauthorized hands, it could cause immense financial damage to a company, or as in the case of the recent attempted US naval espionage charge, potentially result in dire effects. It is incredible that so many survey respondents say they have access to such information, yet so few seem to realize its value.”

The study also found that 62% of businesses worldwide think their employees don’t care enough about the implications of a security breach to change their behavior, and 57% admit that they need to make employees care more about the ramifications of a breach, explain the risks and talk about cases in the media.

"Most employees are not acting maliciously, but their carelessness can be just as damaging,” said Davies. “Companies need to wake up to the fact that employees have the potential to cause the company huge damage through their actions, and ensure that training, policies and technology are in place to minimize that risk. Those sitting on the board need to sit up and pay attention; critical information needs to be governed at the highest levels or it could jeopardize the future of a company."

Source: Information Security Magazine