Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/24/2016
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Employee Negligence The Cause Of Many Data Breaches

Enterprise privacy and training programs lack the depth to change dangerous user behavior, Experian study finds.

More than half of organizations attribute a security incident or data breach to a malicious or negligent employee, according to a new survey.

Sixty-six percent of the 601 data protection and privacy training professionals surveyed for the Managing Insider Risk through Training & Culture report say their employees are the weakest link in their efforts to create a strong security posture.

Awareness of the insider risk, though, is not influencing many companies to put in place practices to improve the security culture and training of their employees, the Experian Data Breach Resolution and Ponemon Institute report found.

Only 35% say senior executives think it is a priority to ensure that employees are knowledgeable about how data security risks affect their organizations, and 60% say employees are not knowledgeable or have no knowledge of the company’s security risks.

“It’s no surprise that employee-related security risk is their number one concern,” says Michael Bruemmer, vice president of Experian Data Breach Resolution. “As we have seen in our incident response service that we do for clients, about 80% of all the breaches we service have a root cause in some type of employee negligence.”

Training Programs Inadequate

Each of the organizations in the survey has a training program, but many of these programs do not have the depth and breadth of content to drive significant behavioral changes and reduce the insider risk. Only half of the companies agree or strongly agree that current employee training actually reduces noncompliant behaviors.

Forty-three percent of respondents say that training consists of only one basic course for all employees. These basic courses often do not provide training on the risks that can result in a data breach: 49% of the respondents say training in their organization does not include phishing and social engineering attacks. Only 38% of respondents say the course includes mobile device security, and only 29% say courses include the secure use of cloud services.

Less than half --45% -- say their organizations make training mandatory for all employees. Even when mandatory, exceptions are made for certain individuals. For example, 29% of respondents say the CEO and senior level executives in their companies are not required to take the course.

Additionally, if an employee doesn’t pass a privacy test or do well on a training course, 60% of the companies in the survey don’t require them to do anything else but check off the right answers on the test, Bruemmer says.

Responsibility Starts At The Top

The responsibility for data protection and cybersecurity should start at the top with company board members and senior management, he notes. Cybersecurity should be one of the top five strategic priorities, he says. And if companies are setting up an organizational structure, the chief information security officer or an executive with that responsibility, must report at a minimum to the CEO, if not directly to the board. 

“So cybersecurity, privacy, and data breach response must have a priority at the highest level of the organization,” Bruemmer says. To back up that argument, Bruemmer notes that 29% of the cybersecurity professionals surveyed say that the lack of senior executive buy-in contributed to the inefficient training.

“In this day and age, given the cost of a data breach, which is about $6.2 million per incident, to not spend the money upfront to address the number one cause of data breaches – a relatively low cost compared to some of the other preparations – it just seems like there is a real miss here,” Bruemmer says.

Mitigating the insider risk, according to Bruemmer, should include both culture and training. Sixty-seven percent of respondents say their organizations do not provide incentives to employees for being proactive in protecting sensitive information or reporting potential issues.

The report recommends that companies should provide employees with incentives to report security issues and safeguard confidential and sensitive information, as well as better communicate the consequences of a data breach. Plus, companies should "gamify" training to make learning about potential security and privacy threats fun.

Meanwhile, federal cybersecurity professionals also recognize that people can be their organization’s greatest cybersecurity asset or greatest liability: 42% of cybersecurity executives surveyed for a new (ISC)² and KPMG LLP report say that people are currently their agency’s greatest vulnerability to cyberattacks.

Lack of accountability was also a consistent theme throughout the federal survey results, as some respondents were unable to identify a senior leader at their agency whose sole responsibility is cybersecurity. Federal cybersecurity executives are still struggling to understand how attacks could potentially breach their systems a year after hackers stole the personal information of 22 million people from the Office of Personal Management databases, according to the (ISC)² report.

Related Content:

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. He has witnessed all of the major transformations in computing over the last three decades, covering the rise, death, and resurrection of the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kevinmass
50%
50%
kevinmass,
User Rank: Apprentice
5/9/2017 | 8:48:06 AM
Employee Negligence
Cyberattacks are increasing day by day and firstly, you need to educate your employees. Remember that all it takes for ransomware to end up on your systems is for one of your employee to open an infected attachment. This might be in an email looks like,it is from a trusted source .Employees must be aware of the risk and it's your first line of defence.  I would like to suggest Opsfolio Community, an online community for those involved with healthcare cyber security, which is a right guide for me to get healthcare cybersecurity informations.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25382
PUBLISHED: 2021-04-23
An improper authorization of using debugging command in Secure Folder prior to SMR Oct-2020 Release 1 allows unauthorized access to contents in Secure Folder via debugging command.
CVE-2021-26291
PUBLISHED: 2021-04-23
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be t...
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...