Your Employees: The Weak Link in a Security Program

More than half of employees have not received security awareness training and as such are engaging in risky behavior that puts their companies at risk, according to EMA research.

"Security Awareness Training: It's Not Just for Compliance" report of more than 600 employees from organizations ranging from small businesses with less than 100 staff to enterprises with 20,000 employees, found that 58% have company-sensitive information on their mobile devices and 59% store work information on the cloud.

"People repeatedly have been shown as the weak link in the security program," says EMA Research analyst David Monahan, who authored the study. "Without training, people will click on links in email and release sensitive information in any number of ways. In most cases they don't realize what they are doing is wrong until a third-party makes them aware of it."

Thirty percent of employees leave mobile devices unattended in their vehicles, 33% use the same password for both work and personal devices and 35% have clicked on a link in an email from an unknown sender.

Small businesses of less than 100 employees account for the greatest percentage–44%–of untrained personnel and make up 72% percent of untrained employees when added to organizations of less than 1,000 people. Larger companies have bigger budgets from which they can allocate more training, the report states, and as such, just 8% are untrained.

The most common forms rating the training effectiveness are training completion (62%), and end of training testing (65%). The report recommends that training should be based on instructional design principles, be interactive, fun and flexible for different learning styles, provide content that addresses security concerns and threats, and easily measured to demonstrate effectiveness and reduce risk to an organization.