Orgs Turn Blind Eye to Risky Employee Behavior

While employee-related security risks are the No.1 concern for security professionals, organizations are not taking adequate steps to prevent negligent employee behavior.

That’s the word from a study by Experian Data Breach Resolution and Ponemon Institute, Managing Insider Risk Through Training & Culture, which found that the concern is well-founded: More than half (55%) of companies surveyed have already experienced a security incident due to a malicious or negligent employee.

Alarmingly, a full 60% of companies surveyed believe that their employees are not knowledgeable or have no knowledge of the company’s security risks—despite investment in employee training (and other efforts to reduce careless behavior in the handling of sensitive and confidential information).

Additionally, the study showed a lack of concern by C-suite executives. Only 35% of respondents said that senior management sees it as a priority that employees are knowledgeable about how data security risks affect their organization. This illustrates a clear gap between companies’ awareness of the issues caused by employee negligence and their actions.

In practice, the survey found that only 46% of surveyed companies make training mandatory for all employees. And, when companies experience a data breach, they have a unique opportunity to re-engage employees around protecting company data. Unfortunately, 60% of companies do not require employees to retake security training courses following a data breach, missing a key opportunity to emphasize security best practices.

Even among those that provide training, the effectiveness of training programs varies greatly, and many are not extensive enough to drive significant behavioral change. Many training programs provide only basic information and are not delivered on a regular basis. About 43% of companies provide only one basic course for all employees, and often these courses don’t cover a number of large risks that lead to data breaches.

Phishing and social engineering attacks are covered in just 49% of basic programs; mobile device security in 38%; and using cloud services safely is covered in less than a third (29%).

Overall, only half of companies agree or strongly agree that current employee education programs actually reduce noncompliant behaviors.

The other issue is that organizations are not fostering a culture of security. The study found that companies are not currently implementing a number of simple incentives that could encourage positive security behaviors. Of the companies surveyed, 67% provide no incentives to employees for being proactive in protecting sensitive information or reporting potential issues.

Among those that do provide incentives, only 19% provide a financial reward and only 29% mention security in performance reviews. Furthermore, the study found that one-third of companies have no consequences if an employee is found to be negligent or responsible for causing a data breach.

“Among the many security issues facing companies today, the study emphasizes that the risk of a data breach caused by a simple employee mistake or act of negligence is driving many breaches. Unfortunately, companies continue to experience the consequences of employees either falling victim to cyberattacks or exposing information inadvertently,” said Michael Bruemmer, vice president, Experian Data Breach Resolution. “There are several steps that companies should take to better equip their employees with the tools they need to protect company data, including moving beyond simple employee education practices and shifting to a culture of security.

Photo © Pressmaster

What’s Hot on Infosecurity Magazine?