Most companies assign their own Tech Support Department to train company employees in matters of IT security, rather than hiring outside IT consultants or asking the HR Department or Employee Development Department to commission IT security professionals, according to experts at B2B International.
B2B International collaborated with Kaspersky Lab this spring to conduct the Global Corporate IT Security Risks 2013 survey among companies located in the GCC.
Effective IT security training for employees is a key component of any strategy to combat cyber threats – according to the survey; four out of five of the most common internal security incidents recorded in the past 12 months were directly linked to staff actions. The figures for [add name of the country/region] show that:
• 35 per cent of respondents in the GCC reported accidental leakages of confidential data
• 20 per cent of respondents in the GCC reported employees losing corporate mobile devices with critical data stored on them
• 23 per cent of companies in the GCC encountered intentional staff-facilitated data leakages
• 13 per cent of companies in the GCC had dealt with incidents when confidential data got into the wrong hands due to the improper use of mobile devices (via a mobile email client, text messages, etc.)
Time and again, research shows that unintentional staff errors are behind a significant proportion of critical data leaks and IT security incidents. The key to addressing this challenge lies in ensuring that end users are adequately informed of IT security risks – and how best to avoid them.
While this clearly illustrates the importance of employee education in IT security, the question remains: who exactly should provide that training?
As B2B International’s experts determined, most companies believe that an organization’s in-house IT Department should train company employees in IT security matters — even though staff education is not one of the key functions of an IT Department. This additional workload affects performance: respondents noted that IT Departments have other important tasks and typically do not have time to educate their co-workers. Obviously, this can have a negative impact on the quality of training. A better outcome can be delivered by commissioning a third-party IT consultant with the requisite training expertise. However, only 11 per cent of respondents reported having done so.
The HR Department is involved in employee training at 8 per cent of the companies that took part in the survey. A similar number of companies delegate this matter to an Employee Training and Development Department. Roughly 3 per cent of respondents reported that they commission an outside corporate training provider.
These figures are more or less the same across regions, with some minor differences: for example, the highest percentage of companies assigning IT security training to their in-house IT Departments are located in the GCC (73 per cent), Japan (72 per cent), and North America (71 per cent); while organizations in South America (65 per cent) and Eastern Europe (57 per cent) do so less often. External IT consultants are most often hired to train company employees in South America (16 per cent) and Asia-Pacific, that is less so in Eastern Europe and the GCC (both 11 per cent).
In general, the importance of employee education in IT security is acknowledged by the overwhelming majority of companies — only 1 per cent of survey respondents stated that their companies do not train their staff in IT security at all. However, the quality of corporate education is open to question; after all, employee awareness about cyber threats has a direct impact on the extent to which a company’s IT security policies are followed and, as a result, on the overall degree to which a company is protected against cyber threats. Presently, the extent to which policies are being enforced is relatively low, with approximately 37 per cent of survey participants indicating that company employees do not always respect or diligently adhere to corporate IT security rules.