In addition, only 45 percent of the companies in the survey made the training mandatory for all employees. Even those companies that did make training mandatory often made exceptions — for example, 29 percent of respondents said the CEO and C-level executives (employees that typically have access to high-value, sensitive information) were not required to take the course.
To move the needle on security awareness, Experian and Ponemon say organizations need to foster a culture of security. Recommendations include the following:
- Gamify training. Gamify training to make learning about potential security and privacy threats fun. Interactive games that illustrate threats for employees can make the educational experience enjoyable and the content easier to retain. For example, new technologies that simulate real phishing emails and provide simple ways to report potentially fraudulent messages are gaining traction.
- Apply a carrot-and-stick approach to reducing insider risk. Provide employees with incentives to report security issues and safeguard financial information. Establish and communicate the consequences of a data breach or security incident caused by negligent or careless behavior. The tone at the top is critical — senior executives should set an example by participating in the data protection and privacy training (DPPT) program and emphasizing the importance of reducing the risk of a data breach or security incident.
Sign up for CIO Asia eNewsletters.