"Seventy-one per cent of respondents said their organizations allow mobile and remote employees to access data and networks, but only 39 per cent said their organizations have implemented security awareness training and education. Only 19 per cent said they intend to implement such training in 2008. The good news is that of the organizations that have implemented security awareness training for remote and mobile employees, 92 per cent of respondents said they believe the number of major security breaches has been reduced."
So, security awareness works but few organizations are using it. More fool them!
Jay Cline, writing in Computerworld, describes the top five mistakes of privacy awareness programs:
1. Doing separate training for privacy, security, records management and code of ethics.
2. Equating "campaign" with "program."
3. Equating "awareness" with "training."
4. Using one or two communications channels.
5. No measurement.
[Read Jay's piece if these are not immediately obvious.]
I agree with all five issues, particularly his point that "A true program has an annually refreshed calendar of messages and training going out to different employee populations throughout the year". Multimedia, multiple audiences and multiple activities together make for a more effective awareness program.