Infosecurity 2012: Survey proves value of security awareness programme

According to the latest findings from PwC, better end-user security training can pay off in fewer breaches.

LONDON – Data from a leading industry report suggests that an organization with a quality end-user security awareness programme is less likely to suffer a security breach.

The figures clearly show that organisations with a clearly understood security policy are less likely to be breached.

Chris Potter,

This is according to the latest Information Security Breaches Survey (ISBS) report from PricewaterhouseCoopers (PwC). The bi-annual report, presented at Infosecurity 2012 this week, is widely considered to be a respected barometer of UK security trends.

Security breaches have reached historically high levels in 2011, according to the PwC report, costing the UK economy between £5 billion and £10 billion a year.

In the report, PwC noted that 95% of large organisations and 63% of smaller firms have a documented security policy, yet only a quarter of respondents believed their organisations' policies are well understood by users. The survey found staff-related breaches were more common in organisations where the security policy was poorly understood, while breaches were less frequent where policies had been thoroughly communicated.

Chris Potter, a partner with PwC and one of the report’s authors, said the findings underscore the need for better employee training. “The root cause of these attacks is often a lack of security awareness,” he said.

“These findings provide evidence of a payback in security awareness spending,” Potter continued. “The figures clearly show that organisations with a clearly understood security policy are less likely to be breached.”

More highlights from Infosecurity 2012

Get more news and important research from the Infosecurity 2012 conference, including coverage of security threats and data breaches.

The PwC survey, which was partially funded by the Department for Business Innovation and Skills (BIS), was based on feedback received from 447 UK organisations and was conducted during February and March of 2012.

PwC also found that, while on average security spending accounts for 8% of overall IT budgets, comparable with the level in 2010, one in eight organizations spends less than 1% of its IT budget on security. Potter said some large organisations appeared to have become complacent about security; 12% of respondents said senior managers give a low priority to security.

However, Potter said, security is not achieved solely by spending money on technology. He encouraged large organisations especially to put robust policies and processes in place along with effective end-user security training.

Read more on Security policy and user awareness