My cynicism around security awareness and training was confirmed when I got into discussion with a senior manager at a (very) large bank who admitted that he tasked his PA to go through each training course using his sign-in credentials. I decided to partner with OutThink as they target training at individuals based on behaviour and risk rather than carpet-bomb all employees…:
[…] The survey included a wide range of questions around Security Awareness and Training (SA&T) Programs in APAC, including security measure and implementation, employee behaviour changes, security culture and overall effectiveness in delivering effective training programs. Results of the employer survey were measured against feedback from 240 knowledge workers within these companies, who regularly use email and digital channels in the workplace.
Across the region the study also found that attending SA&T activities does not necessarily translate to a change in behaviour for employees, with a third of SA&T attendees still admitting to flouting security policies — increasing to more than 50% for respondents in New Zealand.