Training Doesn’t Thwart Insider Risk

Friday, May 27, 2016 @ 03:05 PM gHale


Security is top of mind for almost everyone, but organizations aren’t doing enough to prevent negligent employee behavior, a new study found.

Along those lines, 66 percent of respondents said employees are the weakest link in their efforts to create a strong security posture, and 55 percent said their organization had suffered a security incident or data breach due to a malicious or negligent employee, according to a report by security research firm Ponemon Institute, sponsored by Experian Data Breach Resolution. The report surveyed 601 people at companies with a data protection and privacy training program on the issue of negligent and malicious employee behaviors for the “Managing Insider Risk through Training & Culture” report.

RELATED STORIES
Pssst: Share Password for some Chocolate?
Ransomware Infections Continue Growth
Ransomware Attack Hurts MI Utility
Stolen Emails, Attacks Keep Growing

The negligent and malicious behaviors concerning security professionals the most include the following:
• Unleashing malware from an insecure website or mobile device (70 percent)
• Violating access rights (60 percent)
• Using unapproved mobile devices in the workplace (55 percent)
• Using unapproved cloud or mobile apps in the workplace (54 percent)
• Accessing company applications from an insecure public network (49 percent)
• Succumbing to targeted phishing attacks (47 percent)

While these companies are investing in employee training and other efforts around the handling of sensitive and confidential information, most are not finding success.

As it turns out, Ponemon found 60 percent of respondents said they believe their employees are not knowledgeable or have no knowledge of the company’s security risks. And only 35 percent of respondents said their senior management believes it is a priority employees are knowledgeable about how data security risks affect their organization.

“Among the many security issues facing companies today, the study emphasizes that the risk of a data breach caused by a simple employee mistake or act of negligence is driving many breaches,” said Michael Bruemmer, vice president of Experian Data Breach Resolution. “Unfortunately, companies continue to experience the consequences of employees either falling victim to cyber attacks or exposing information inadvertently. There are several steps that companies should take to better equip their employees with the tools they need to protect company data, including moving beyond simple employee education practices and shifting to a culture of security.”

The report found while every company surveyed has a training program, “many of these programs do not have the depth and breadth of content to drive significant behavioral changes and reduce the insider risk.”

In fact, only about half of the respondents agreed or strongly agreed their current employee training reduces noncompliant behaviors.

The programs fall short in a number of areas, according to the report. First, 43 percent of respondents said training consists of only one basic course for all employees. And the courses often ignore critical areas:
• 49 percent of respondents said their course includes phishing and social engineering attacks
• 38 percent of respondents said their course includes mobile device security
• 29 percent said their course includes the secure use of cloud services

In addition, only 45 percent of the companies in the survey made the training mandatory for all employees. Even those companies that did make training mandatory often made exceptions. Related to that, 29 percent of respondents said the chief executive and C-level executives (employees that typically have access to high-value, sensitive information) did not have to take the course.

To move the needle on security awareness, Experian and Ponemon said organizations need to foster a culture of security. Recommendations include:
• Gamify training. Gamify training to make learning about potential security and privacy threats fun. Interactive games that illustrate threats for employees can make the educational experience enjoyable and the content easier to retain.
• Apply a carrot-and-stick approach to reducing insider risk. Provide employees with incentives to report security issues and safeguard financial information. Establish and communicate the consequences of a data breach or security incident caused by negligent or careless behavior.

Click here to register for the report.