Study Says Organizations Not Doing Enough to Prevent Employee-Caused Security Incidents
While employee-related security risks are the number-one concern for security professionals, organizations are not taking adequate steps to prevent negligent employee behavior.
The study, Managing Insider Risk Through Training & Culture, from Experian Data Breach Resolution and the Ponemon Institute, asked more than 600 individuals at companies that currently have a data protection and privacy training program to weigh in on the topic of negligent and malicious employee behaviors, as well as the consequences of poor security conduct and the effectiveness of training.
The study found that more than half (55 percent) of companies surveyed have already experienced a security incident due to a malicious or negligent employee. However, despite investment in employee training and other efforts to reduce careless behavior in the handling of sensitive and confidential information, the majority of companies do not believe that their employees are knowledgeable about the company's security risks.
"Among the many security issues facing companies today, the study emphasizes that the risk of a data breach caused by a simple employee mistake or act of negligence is driving many breaches. Unfortunately, companies continue to experience the consequences of employees either falling victim to cyberattacks or exposing information inadvertently," said Michael Bruemmer, vice president, Experian Data Breach Resolution. "There are several steps that companies should take to better equip their employees with the tools they need to protect company data, including moving beyond simple employee education practices and shifting to a culture of security."
According to the survey, only 46 percent of surveyed companies make training mandatory for all employees. When companies experience a data breach, they have a unique opportunity to re-engage employees around protecting company data. Unfortunately, 60 percent of companies do not require employees to retake security training courses following a data breach, missing a key opportunity to emphasize security best practices.
The effectiveness of training programs varies greatly, and many are not extensive enough to drive significant behavioral change. Only half of companies agree or strongly agree that current employee education programs actually reduce noncompliant behaviors.
These critical areas are covered in less than half of basic programs:
• Phishing and social engineering attacks (49 percent)
•Mobile device security (38 percent)
•Using cloud services safely (29 percent)
The study also found that companies are not currently implementing a number of simple incentives that could encourage positive security behaviors. Of the companies surveyed, 67 percent provide no incentives to employees for being proactive in protecting sensitive information or reporting potential issues. Among those that do provide incentives, only 19 percent provide a financial reward and only 29 percent mention security in performance reviews. Furthermore, the study found that one-third of companies have no consequences if an employee is found to be negligent or responsible for causing a data breach.