Employee-related security risks top the list of concerns for security professionals, but organizations aren't doing enough to prevent negligent employee behavior, according to a new study.
Last month, security research firm Ponemon Institute, sponsored by Experian Data Breach Resolution, surveyed 601 individuals at companies with a data protection and privacy training program on the issue of negligent and malicious employee behaviors for the Managing Insider Risk through Training & Culture report.
Sixty-six percent of respondents said employees are the weakest link their efforts to create a strong security posture, and 55 percent said their organization had suffered a security incident or data breach due to a malicious or negligent employee.
What keeps CSOs awake at night ...
The negligent and malicious behaviors that concern security professionals the most include the following:
- Unleashing malware from an insecure website or mobile device (70 percent)
- Violating access rights (60 percent)
- Using unapproved mobile devices in the workplace (55 percent)
- Using unapproved cloud or mobile apps in the workplace (54 percent)
- Accessing company applications from an insecure public network (49 percent)
- Succumbing to targeted phishing attacks (47 percent)
While these companies are investing in employee training and other efforts around the handling of sensitive and confidential information, most are not finding success. Ponemon found that 60 percent of respondents said they believe their employees are not knowledgeable or have no knowledge of the company's security risks. And only 35 percent of respondents said their senior management believes it is a priority that employees are knowledgeable about how data security risks affect their organization.
"Among the many security issues facing companies today, the study emphasizes that the risk of a data breach caused by a simple employee mistake or act of negligence is driving many breaches," Michael Bruemmer, vice president of Experian Data Breach Resolution, said in a statement last week. "Unfortunately, companies continue to experience the consequences of employees either falling victim to cyberattacks or exposing information inadvertently. There are several steps that companies should take to better equip their employees with the tools they need to protect company data, including moving beyond simple employee education practices and shifting to a culture of security."
The report found that while every company surveyed has a training program, "many of these programs do not have the depth and breadth of content to drive significant behavioral changes and reduce the insider risk."
In fact, only about half of the respondents agreed or strongly agreed that their current employee training reduces noncompliant behaviors.
The programs fall short in a number of areas, according to the report. First, 43 percent of respondents said that training consists of only one basic course for all employees. And the courses often ignore critical areas:
- Only 49 percent of respondents said their course includes phishing and social engineering attacks.
- Only 38 percent of respondents said their course includes mobile device security.
- Only 29 percent said their course includes the secure use of cloud services.
Sign up for CIO Asia eNewsletters.