COSTA MESA, Calif.—While employee-related security risks are the top concern for security professionals, organizations are not taking the necessary steps to prevent negligent behavior, according to research from Experian and the Ponemon Institute.
The study, Managing Insider Risk Through Training & Culture, surveyed 600 technology leaders about negligent and malicious employee behaviors and found that more than half (55%) of companies have experienced a security incident due to employee behavior.
“Companies are investing in employee training to teach them how to protect confidential information, but most of those surveyed (60%) still do not believe their employees know enough about their company's security risks,” said Bill Hardekopf, CEO at LowCards.com, Birmingham, Ala. “This information is sadly not making it to C-suite executives though, as 35% of the respondents said senior management thinks employees are knowledgeable about data security risks.”
Among the many security issues facing companies today, the study emphasizes that the risk of a data breach caused by a simple employee mistake or act of negligence is driving many breaches, explained Michael Bruemmer, vice president, Experian Data Breach Resolution.
“Unfortunately, companies continue to experience the consequences of employees either falling victim to cyberattacks or exposing information inadvertently," said Bruemmer. "There are several steps that companies should take to better equip their employees with the tools they need to protect company data, including moving beyond simple employee education practices and shifting to a culture of security."
Other key study findings:
- Only 46% of companies make employee training mandatory.
- After data breaches, most companies (60%) are not using the opportunity to retrain employees.
- Of the companies that do provide training, 43% offer only basic information. Less than half of all programs are covering these important programs: phishing and social engineering (49%), mobile device security (38%) and using cloud services safely (29%).
- Research has found that incentives can encourage more positive security behaviors. Yet only 33% of companies are offering incentives. Of those that provide incentives, 19% provide a financial reward and 29% mention the behavior in performance reviews.