Typically, the process of employees’ education in information security-related issues is limited to the examination of some manuals and, says new research from SearchInform, only 12% of organisations conduct special webinars – and only 16% of businesses implement full-scale training.
Having said that, more and more companies are beginning to realise the importance of ensuring appropriate information security protection, with up to 80% of organisations looking to increase employees’ literacy in information security-related issues.
At the same time, though, 60% of the specialists in charge of enhancing staff members’ information security literacy simply develop some manuals or regulations, which employees have to examine themselves.
“This is the most widely spread method because it is the simplest one – it is enough to establish the regulations on how to work with data oncw,” says Sergio Bertoni, leading analyst at SearchInform. “However, few employees read such regulations.
“People do not understand the risks associated and thus they don’t understand why the regulations are important and how they are corresponding with employees’ job duties,” Bertoni says. “First of all, it is important to check how well the information is learned. And it is very useful to explain how сrucial the information provided is in real life.”
Some companies’ experts understand that regulations themselves are not sufficient and thus combine different approaches to the education process. For instance, specialists in 51% of organisations send emails to staff members notifying about new information security risks; special webinars, during which experts tell the audience about the information security challenges and provide employees with recommendations on how to avoid them take place in 12% of organisations; and in 16% of organisations full-scale cyber trainings are implemented.
Some respondents refer to third-party expert organisations: 27% of them use free training courses by information security experts, and 17% of respondents are ready to pay for such courses.
“In order to make sure that an employee who is not an information security expert understands clearly why is it so important to use different passwords for private and work accounts, how to recognise Internet-fraud and take the required measures to ensure that third-party users do not somehow obtain access to their corporate documents, it is useful to incorporate some real-life experiences to help explain what the probable outcomes can be of neglecting information security rules set in the organisation,” says Bertoni. “Information security is quite an abstract sphere, that’s why it is crucial to provide employees with detailed explanation and illustrative cases in infosec-related issues to make the educational process easier and more efficient.”