Security training programs don't do enough to mitigate insider risk

23.05.2016
Employee-related security risks top the list of concerns for security professionals, but organizations aren't doing enough to prevent negligent employee behavior, according to a new study.

Last month, security research firm Ponemon Institute, sponsored by Experian Data Breach Resolution, surveyed 601 individuals at companies with a data protection and privacy training program on the issue of negligent and malicious employee behaviors for the Managing Insider Risk through Training & Culture report.

Sixty-six percent of respondents said employees are the weakest link their efforts to create a strong security posture, and 55 percent said their organization had suffered a security incident or data breach due to a malicious or negligent employee.

The negligent and malicious behaviors that concern security professionals the most include the following:

While these companies are investing in employee training and other efforts around the handling of sensitive and confidential information, most are not finding success. Ponemon found that 60 percent of respondents said they believe their employees are not knowledgeable or have no knowledge of the company's security risks. And only 35 percent of respondents said their senior management believes it is a priority that employees are knowledgeable about how data security risks affect their organization.

"Among the many security issues facing companies today, the study emphasizes that the risk of a data breach caused by a simple employee mistake or act of negligence is driving many breaches," Michael Bruemmer, vice president of Experian Data Breach Resolution, said in a statement last week. "Unfortunately, companies continue to experience the consequences of employees either falling victim to cyberattacks or exposing information inadvertently. There are several steps that companies should take to better equip their employees with the tools they need to protect company data, including moving beyond simple employee education practices and shifting to a culture of security."

The report found that while every company surveyed has a training program, "many of these programs do not have the depth and breadth of content to drive significant behavioral changes and reduce the insider risk."

In fact, only about half of the respondents agreed or strongly agreed that their current employee training reduces noncompliant behaviors.

The programs fall short in a number of areas, according to the report. First, 43 percent of respondents said that training consists of only one basic course for all employees. And the courses often ignore critical areas:

In addition, only 45 percent of the companies in the survey made the training mandatory for all employees. Even those companies that did make training mandatory often made exceptions — for example, 29 percent of respondents said the CEO and C-level executives (employees that typically have access to high-value, sensitive information) were not required to take the course.

To move the needle on security awareness, Experian and Ponemon say organizations need to foster a culture of security. Recommendations include the following:

(www.cio.com)

Thor Olavsrud

Zur Startseite