McAfee Survey finds SME employees are failing to take security seriously, despite training
June 2013 by McAfee
Research commissioned by IT security specialist McAfee has found that, despite British small and medium sized enterprises (SMEs) providing training in IT and security, employees fail to prevent breaches and data leaks. The study* revealed that even those with training in specific areas of technology failed to keep their data secure – 58% of those whose email was hacked had received training specifically around email security. Worryingly, almost a quarter of employees admitted they were not concerned at all about attacks and breaches.
According to the study, 68% of SMEs are making a concerted effort to educate employees about security risks and threats and over two thirds of companies provide training in this area. However, for these initiatives to be successful, employees need to be involved and engaged. “Employees play critical roles in protecting customer records, intellectual property and critical business data”, said Raj Samani, CTO, McAfee EMEA at McAfee. “Investments in hardware or software are in vain if employees don’t follow the rules. If there are any rules or guidelines, that is to say.”
The enemy within
80 percent of British SME employees agree that digital data is a central business asset for their company. Half regularly handle client contact data, almost half touch invoice data and 42 percent interact with confidential client data. The survey findings reveal that almost a third of employees identify the biggest threat to these digital assets as their colleagues. In fact, 11 percent have experienced security incidents due to colleagues, while 5 percent admit to having caused a breach themselves.
The security risk through employees is increased further as the growing Bring Your Own Device (BYOD) trend means that a fifth of SME employees are now using their own personal devices to handle corporate email and access business data. “BYOD and BYOS create security vulnerabilities SMEs need to understand and deal with today”, said Samani. “Private usage of devices or services not only opens backdoors to a businesses’ security infrastructure, it also creates an environment where companies cannot control how their data is being accessed, stored or shared.”
A joint effort
The research highlights that even though security training is provided at two thirds of companies these efforts appear to have little effect on reducing breaches. Even those with training in specific areas fail to keep their data secure: 53% of those whose password was hacked had received password security training and 58% of those whose email was hacked had received email security training. In addition, 30% of those who had email security training, 35% of those who had mobile training and 20% of those who had cloud security training admitted to leaking data.
“The study reveals a disconnect between SMEs’ efforts to make security part of their employees’ mindset and employees recognising it as part of their responsibility,” said Samani. “For employees to say cyber security is not their concern is not acceptable. Cyber security is a shared responsibility: Owners, managers, IT professionals, employees and security providers alike must work together to stop cybercrime. More than a third of global targeted attacks are now aimed against small businesses, so SMEs clearly need to do more to educate employees to make them understand the responsibility carried by each individual. SMEs have to include their employees as an integral part of their security strategy and provide easy-to-manage security that will protect all devices, both remote and in the office.”
* Survey Design
McAfee asked 1.000 UK Employees (non IT specialists, non Directors) in SMEs with 25-100 staff in April/May 2013 with regards to the importance of data, security awareness, security incidents, security education in their companies as well as their needs and wishes with regards to IT security education. Management and IT staff were excluded from participation in the survey.