The value of awareness

This year's UK information security breaches survey is, as always, a useful source of statistics concerning how real-world organizations are dealing with information security.  It is also, as always, a depressing read for those of us promoting good security practices, partcularly (in my case) ISO27k and human factors.

 So, 44% of organizations gave additional staff training after their worst breach - presumably they realized that their existing training (and awareness?) activities were lacking.  But what of the other 56%: they either thought their training (and awareness?) was OK (wishful thinking?), or it didn't even occur to them that they might need reinforcement.

26% of organizations "believe" their staff have a very good understanding of their security policy.  Bravo!  However, I can't help but wonder how many of those actually have data to support their belief.  How many of them have the metrics to know?  And what of the remaining 74% of organizations who acknowlwdge that their staff don't have a very good understanding of their policy: does that mean the policy is opaque, or tucked away in some intranet backwater perhaps?

That three quarters of the organizations with a poorly-understood policy had staff-related breaches implies a strong correlation, although it is not necessarily cause-and-effect.  As well as being promoted in standards such as ISO27k, most infosec professionals would agree that policy is an important security mechanism, for several reasons (e.g. it clarifies the rules for employees,  confirms management's overt support for security, and is a Litmus test for organizations taking security seriously).  I doubt anyone would seriously claim that having a well-written, readily-understood security policy would make security worse.

Finally, I am dismayed, though not at all surprised, to find that more than half of small businesses don't have any security awareness programme.  I suspect many small businesses don't have IT or HR or Finance specialists, in fact some don't even have experienced, qualified, professional managers as such: they make do with common sense, passion for their core business, and occasionally take advice/assistance from third party professionals such as accountants, lawyers and IT support companies, many of whom are also small businesses.  There are certainly control and governance benefits in being small - information security may not (appear to) be quite the issue that it is for larger organizations since the owner can keep a beady eye on things.  I suspect information security risks and opportunities materially differ in different sized organizations, and it is entirely possible that other considerations such as establishing and maintaining their brands, or securing adequate cash flows eclipse most information security risks although, arguably, brands and cash flows are themselves information-security-related.

Anyway, those are just four or many thought-provoking statistics in the report.  I will be poring over the numbers, gleaning whatever I can and no doubt using some of the key findings in our security awareness materials over forthcoming months.   We've just reduced our minimum annual subscription to below $3,000 in order to appeal to more small businesses: compared to the risks of not having an effective security awareness program, and the costs and difficulties of creating an awareness program in-house, we think that's a sound investment, but naturally we are biased.  What do you think?