SC Magazine recently posed this question on its website: “How frequent is the training related to the security awareness program at your organization?” When I looked at the results on September 3, more than 40% of respondents said they have no security awareness training program. Another 36% said they do annual training. Which means that more than 75% of responding organizations focus on security awareness and training once a year or not at all.
Let’s go ahead and compare these security training frequencies to some recent stats about frequencies of security attacks:
- According RSA’s 2013 A Year in Review fraud report, there were nearly 450,000 phishing attacks and record estimated losses of more than $5.9 billion in 2013
- Data shared in the most recent Phishing Activity Trends Report by the Anti-Phishing Working Group (APWG) reveals that Q1 of 2014 was an incredibly busy time for fraudsters:
- The 2013 Norton Report by Symantec revealed that, globally, 50% of adults have been victims of cybercrime and risky behaviors, with 378 million victims tallied in 2013
Interestingly, even though actual security education programs seem to be at the bottom of priority lists, a recent survey by Deloitte indicated that 70% of organizations identified the “lack of employee security awareness” as a top vulnerability.
A head-scratcher to be sure.
The bright side is that you can battle these burgeoning threats pretty effectively. According to PWC’s Information Security Breaches Survey 2012, organizations with a security awareness program were 50% less likely to have staff-related security breaches. Maybe it’s time you started playing those percentages?