More than half of organizations attribute a security incident or data breach to a malicious or negligent employee, according to a new survey.
Sixty-six percent of the 601 data protection and privacy training professionals surveyed for the Managing Insider Risk through Training & Culture report say their employees are the weakest link in their efforts to create a strong security posture.
Awareness of the insider risk, though, is not influencing many companies to put in place practices to improve the security culture and training of their employees, the Experian Data Breach Resolution and Ponemon Institute report found.
Only 35% say senior executives think it is a priority to ensure that employees are knowledgeable about how data security risks affect their organizations, and 60% say employees are not knowledgeable or have no knowledge of the company’s security risks.
“It’s no surprise that employee-related security risk is their number one concern,” says Michael Bruemmer, vice president of Experian Data Breach Resolution. “As we have seen in our incident response service that we do for clients, about 80% of all the breaches we service have a root cause in some type of employee negligence.”
Training Programs Inadequate
Each of the organizations in the survey has a training program, but many of these programs do not have the depth and breadth of content to drive significant behavioral changes and reduce the insider risk. Only half of the companies agree or strongly agree that current employee training actually reduces noncompliant behaviors.
Forty-three percent of respondents say that training consists of only one basic course for all employees. These basic courses often do not provide training on the risks that can result in a data breach: 49% of the respondents say training in their organization does not include phishing and social engineering attacks. Only 38% of respondents say the course includes mobile device security, and only 29% say courses include the secure use of cloud services.
Less than half --45% -- say their organizations make training mandatory for all employees. Even when mandatory, exceptions are made for certain individuals. For example, 29% of respondents say the CEO and senior level executives in their companies are not required to take the course.
Additionally, if an employee doesn’t pass a privacy test or do well on a training course, 60% of the companies in the survey don’t require them to do anything else but check off the right answers on the test, Bruemmer says.
Responsibility Starts At The Top
The responsibility for data protection and cybersecurity should start at the top with company board members and senior management, he notes. Cybersecurity should be one of the top five strategic priorities, he says. And if companies are setting up an organizational structure, the chief information security officer or an executive with that responsibility, must report at a minimum to the CEO, if not directly to the board.
“So cybersecurity, privacy, and data breach response must have a priority at the highest level of the organization,” Bruemmer says. To back up that argument, Bruemmer notes that 29% of the cybersecurity professionals surveyed say that the lack of senior executive buy-in contributed to the inefficient training.
“In this day and age, given the cost of a data breach, which is about $6.2 million per incident, to not spend the money upfront to address the number one cause of data breaches – a relatively low cost compared to some of the other preparations – it just seems like there is a real miss here,” Bruemmer says.
Mitigating the insider risk, according to Bruemmer, should include both culture and training. Sixty-seven percent of respondents say their organizations do not provide incentives to employees for being proactive in protecting sensitive information or reporting potential issues.
The report recommends that companies should provide employees with incentives to report security issues and safeguard confidential and sensitive information, as well as better communicate the consequences of a data breach. Plus, companies should "gamify" training to make learning about potential security and privacy threats fun.
Meanwhile, federal cybersecurity professionals also recognize that people can be their organization’s greatest cybersecurity asset or greatest liability: 42% of cybersecurity executives surveyed for a new (ISC)² and KPMG LLP report say that people are currently their agency’s greatest vulnerability to cyberattacks.
Lack of accountability was also a consistent theme throughout the federal survey results, as some respondents were unable to identify a senior leader at their agency whose sole responsibility is cybersecurity. Federal cybersecurity executives are still struggling to understand how attacks could potentially breach their systems a year after hackers stole the personal information of 22 million people from the Office of Personal Management databases, according to the (ISC)² report.