"A lot of companies tend to treat IT security education in isolation. Whereas it should form part of a company's overall training schedule. It should also be integrated into its culture and ethos," Robinson points out. In essence, it requires a culture and ethos that should involve people making sensible choices, to be frank.
One of the sensible choices, according to Stephen Bonner, a partner in KPMG's information protection business resilience team, might be in changing the term security awareness itself as this can suggest something done to an individual.
"Campaigns work best when people understand why it's important to the business to be sensible about security," Bonner insists. "[And] why it benefits them as an individual to do the right thing."
It also helps if the security policies are realistic about their expectations of user behaviour in the first place. And realistic about memory retention for that matter. Even when IT security training is provided for every employee, it's often not reaffirmed which means it could go in one ear and out the other very quickly.
"Enterprises should look to provide daily or weekly security tips to all employees and refresh or even test their knowledge on a quarterly basis to remain confident that their staff are up to date on the latest threats," says Chris Jenkins, European general manager for security at Dimension Data. Although I'm not sure daily security tips would get much real attention after a very short period of time. More likely, they would just get lost in the sea of other emails and communications. The quarterly refreshers, on the other hand, sounds eminently practical. None of which is to say that enterprises in general don't train staff in security matters as part of the induction process, and most medium-to-large organisations have significantly increased the amount of ongoing training they provide by way annual updates and the like.
"It does seem though that this is often driven for reasons of compliance to standards," warns Terry Greer-King, director of security at Cisco in the UK and Ireland. He continues: "Rather than a deep seated desire to improve things and there is significant room for improvement."
One area ripe for improvement is that the key focus of training is all too often misplaced, with staff perceiving that security is for the business to sort out with the relevant tools and restraints to support it. It's this failure to involve staff properly which is seen by many as the problem. "Failure to involve users as educated participants in security creates a fractured relationship and this fundamental disconnect, which applies across many businesses, leads to the failure to involve staff in risk awareness and assessment," insists Ian Kilpatrick, chairman of Wick Hill Group.
