Employee-related security risks top the list of concerns for security professionals, but organizations aren't doing enough to prevent negligent employee behavior, according to a new study.
Last month, security research firm Ponemon Institute, sponsored by Experian Data Breach Resolution, surveyed 601 individuals at companies with a data protection and privacy training program on the issue of negligent and malicious employee behaviors for the Managing Insider Risk through Training & Culture report.
Sixty-six percent of respondents said employees are the weakest link their efforts to create a strong security posture, and 55 percent said their organization had suffered a security incident or data breach due to a malicious or negligent employee.
What keeps CSOs awake at night ...
The negligent and malicious behaviors that concern security professionals the most include the following:
- Unleashing malware from an insecure website or mobile device (70 percent)
- Violating access rights (60 percent)
- Using unapproved mobile devices in the workplace (55 percent)
- Using unapproved cloud or mobile apps in the workplace (54 percent)
- Accessing company applications from an insecure public network (49 percent)
- Succumbing to targeted phishing attacks (47 percent)
While these companies are investing in employee training and other efforts around the handling of sensitive and confidential information, most are not finding success. Ponemon found that 60 percent of respondents said they believe their employees are not knowledgeable or have no knowledge of the company's security risks. And only 35 percent of respondents said their senior management believes it is a priority that employees are knowledgeable about how data security risks affect their organization.
"Among the many security issues facing companies today, the study emphasizes that the risk of a data breach caused by a simple employee mistake or act of negligence is driving many breaches," Michael Bruemmer, vice president of Experian Data Breach Resolution, said in a statement last week. "Unfortunately, companies continue to experience the consequences of employees either falling victim to cyberattacks or exposing information inadvertently. There are several steps that companies should take to better equip their employees with the tools they need to protect company data, including moving beyond simple employee education practices and shifting to a culture of security."
The report found that while every company surveyed has a training program, "many of these programs do not have the depth and breadth of content to drive significant behavioral changes and reduce the insider risk."
In fact, only about half of the respondents agreed or strongly agreed that their current employee training reduces noncompliant behaviors.
The programs fall short in a number of areas, according to the report. First, 43 percent of respondents said that training consists of only one basic course for all employees. And the courses often ignore critical areas:
- Only 49 percent of respondents said their course includes phishing and social engineering attacks.
- Only 38 percent of respondents said their course includes mobile device security.
- Only 29 percent said their course includes the secure use of cloud services.
In addition, only 45 percent of the companies in the survey made the training mandatory for all employees. Even those companies that did make training mandatory often made exceptions — for example, 29 percent of respondents said the CEO and C-level executives (employees that typically have access to high-value, sensitive information) were not required to take the course.
To move the needle on security awareness, Experian and Ponemon say organizations need to foster a culture of security. Recommendations include the following:
- Gamify training. Gamify training to make learning about potential security and privacy threats fun. Interactive games that illustrate threats for employees can make the educational experience enjoyable and the content easier to retain. For example, new technologies that simulate real phishing emails and provide simple ways to report potentially fraudulent messages are gaining traction.
- Apply a carrot-and-stick approach to reducing insider risk. Provide employees with incentives to report security issues and safeguard financial information. Establish and communicate the consequences of a data breach or security incident caused by negligent or careless behavior. The tone at the top is critical — senior executives should set an example by participating in the data protection and privacy training (DPPT) program and emphasizing the importance of reducing the risk of a data breach or security incident.
This story, "Security training programs don't do enough to mitigate insider risk" was originally published by CIO.