Security training programs don't do enough to mitigate insider risk

The threats posed by negligent insiders top many security professionals' lists of security concerns, but even many organizations that have data protection and privacy training programs aren't getting through to their employees.

Employee-related security risks top the list of concerns for security professionals, but organizations aren't doing enough to prevent negligent employee behavior, according to a new study.

Last month, security research firm Ponemon Institute, sponsored by Experian Data Breach Resolution, surveyed 601 individuals at companies with a data protection and privacy training program on the issue of negligent and malicious employee behaviors for the Managing Insider Risk through Training & Culture report.

Sixty-six percent of respondents said employees are the weakest link their efforts to create a strong security posture, and 55 percent said their organization had suffered a security incident or data breach due to a malicious or negligent employee.

What keeps CSOs awake at night ...

The negligent and malicious behaviors that concern security professionals the most include the following:

  • Unleashing malware from an insecure website or mobile device (70 percent)
  • Violating access rights (60 percent)
  • Using unapproved mobile devices in the workplace (55 percent)
  • Using unapproved cloud or mobile apps in the workplace (54 percent)
  • Accessing company applications from an insecure public network (49 percent)
  • Succumbing to targeted phishing attacks (47 percent)

While these companies are investing in employee training and other efforts around the handling of sensitive and confidential information, most are not finding success. Ponemon found that 60 percent of respondents said they believe their employees are not knowledgeable or have no knowledge of the company's security risks. And only 35 percent of respondents said their senior management believes it is a priority that employees are knowledgeable about how data security risks affect their organization.

"Among the many security issues facing companies today, the study emphasizes that the risk of a data breach caused by a simple employee mistake or act of negligence is driving many breaches," Michael Bruemmer, vice president of Experian Data Breach Resolution, said in a statement last week. "Unfortunately, companies continue to experience the consequences of employees either falling victim to cyberattacks or exposing information inadvertently. There are several steps that companies should take to better equip their employees with the tools they need to protect company data, including moving beyond simple employee education practices and shifting to a culture of security."

The report found that while every company surveyed has a training program, "many of these programs do not have the depth and breadth of content to drive significant behavioral changes and reduce the insider risk."

In fact, only about half of the respondents agreed or strongly agreed that their current employee training reduces noncompliant behaviors.

The programs fall short in a number of areas, according to the report. First, 43 percent of respondents said that training consists of only one basic course for all employees. And the courses often ignore critical areas:

  • Only 49 percent of respondents said their course includes phishing and social engineering attacks.
  • Only 38 percent of respondents said their course includes mobile device security.
  • Only 29 percent said their course includes the secure use of cloud services.

In addition, only 45 percent of the companies in the survey made the training mandatory for all employees. Even those companies that did make training mandatory often made exceptions — for example, 29 percent of respondents said the CEO and C-level executives (employees that typically have access to high-value, sensitive information) were not required to take the course.

To move the needle on security awareness, Experian and Ponemon say organizations need to foster a culture of security. Recommendations include the following:

  • Gamify training. Gamify training to make learning about potential security and privacy threats fun. Interactive games that illustrate threats for employees can make the educational experience enjoyable and the content easier to retain. For example, new technologies that simulate real phishing emails and provide simple ways to report potentially fraudulent messages are gaining traction.
  • Apply a carrot-and-stick approach to reducing insider risk. Provide employees with incentives to report security issues and safeguard financial information. Establish and communicate the consequences of a data breach or security incident caused by negligent or careless behavior. The tone at the top is critical — senior executives should set an example by participating in the data protection and privacy training (DPPT) program and emphasizing the importance of reducing the risk of a data breach or security incident.

Join the CSO newsletter!

Error: Please check your email address.

More about Interactive

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place