SOURCE: Wombat Security Technologies

Wombat Security Technologies, Inc. logo

July 07, 2016 10:05 ET

Wombat Security Offers Advice for Improving Efficacy of Cyber Security Education Programs

Study Shows Need for Cultural Shift, Better Security Awareness Training

PITTSBURGH, PA--(Marketwired - July 07, 2016) - According to Wombat Security Technologies, a recently released research report from Experian and Ponemon Institute is a study in contrasts: organizations acknowledging that insider risk continues to be a significant challenge on the cyber security front while at the same time indicating that their employees are not being given the training they needs to reduce those risks.

The results reflected in the Managing Insider Risk through Training & Culture research report are based on a survey of 601 individuals whose organizations provide security awareness training programs and who themselves are knowledgeable about the parameters of those programs. Of those surveyed, 66% feel that employees are the weakest link in the security chain, and 55% indicated that their organization had suffered a security incident or data breach as the result of negligent or malicious end-user behaviors.

Wombat acknowledges that these statistics are unlikely to be met with surprise given that most organizations are aware of the impact of end-user behaviors. What is disheartening, they say, is the way end-user risk is being managed.

"Insider threats are widely discussed and well recognized, so it stands to reason that organizations would be prioritizing these issues and attacking them head on," said Amy Baker, Wombat's Vice President of Marketing. "However, the results from the Ponemon study seem to indicate that is not the case."

Baker points to several of the findings from the research report to support this conclusion:

  • Only 35% of respondents said their senior executives have made end-user security awareness and training a priority.
  • 60% say their employees are not knowledgeable or have no knowledge of the company's security risks.
  • 43% indicated that their organization's cyber security education consists of one basic course.
  • Only 49% said they teach employees about phishing and social engineering attacks. And just 38% provide education about mobile device security.

She says these results are particularly troubling given that each respondent's organization is using some level of data protection and privacy training. The survey seems to reflect that efficacy is a common problem: only 50% of respondents agree that their current approach actually reduces non-compliant behaviors, and even fewer (43%) feel the training helps to minimize loss or theft of confidential data.

Organizations Need to Enhance Their Approach to Cyber Security Education

As a pioneer in the space, Wombat has long cautioned that effective security awareness and training is about more than checking a box. End users can be a valuable resource. Not only can employees help block external attacks, they can also be eyes and ears on the inside, helping to identify negligent behaviors and potential malicious internal actors.

Wombat feels the Ponemon study reflects a clear need to implement a more effective approach to managing end-user risk, and they offer advice on how to do that:

Study shows…  Organizations should…
43% of cyber security education programs consist of one basic course. Critical areas of risk -- including those that lead to breaches -- are often ignored.  Implement a continuous training approach that keeps security top-of-mind year round and allows them to cover multiple topics in "digestible" chunks.
Many organizations exclude certain employee segments from participating in cyber security training, including contract workers (55%), part-time employees (40%), and CEOs/C-level execs (29%).  Train at all levels and strive for a top-down approach to awareness and training. Every connected employee is a potential point of entry for attackers, and the C-suite has been increasingly targeted.
67% of organizations do not incentivize employees to be proactive about protecting sensitive data and systems.  Consider using gamification to make security awareness and training programs more engaging and rewarding for end users.
70% say that lack of in-house expertise is a reason it is difficult to reduce the risks related to negligent or malicious employees.  Partner with a leader in the computer-based security training space who can help them design and implement an effective program. Explore managed services options if administrative resources are an issue.

Phishing attacks are more prevalent than ever. For more information about training end users to identify, avoid, and report suspicious email messages, visit

Contact Information