Sixty-six percent of data protection leaders admit that employees are the weakest link in an enterprise’s security posture, and 55 percent of organizations have had a security incident or data breach due to a malicious or negligent employee, according to the Ponemon Institute’s report on Managing Insider Risk through Training and Culture.

 However, only 35 percent of survey respondents say senior executives believe it a priority that employees are knowledgeable about how data security risks impact the enterprise, and 60 percent of respondents believe employees lack adequate knowledge of cybersecurity risks. For enterprises that do train employees, 51 percent of respondents say the basic training course did not require phishing or social engineering hack education.

 Only 45 percent of respondents in the survey say their enterprises make training mandatory for all employees, but even in these environments, exceptions are sometimes made for CEOs and C-Level executives.

 The report found that 67 percent of respondents’ organizations do not provide incentives for employees who are proactive in protecting sensitive information or reporting potential issues, such as phishing attempts. Similarly, there are often few clear consequences for negligence. One-third of survey respondents say there are no consequences if an employee is found to be negligent or responsible for causing a data breach.