Organizations Not Taking Steps to Prevent Employee-Caused Security Incidents

May 25, 2016, Written By Bill Hardekopf
Security advisor is touching PROTECT YOUR COMPANY on a virtual touch screen interface. Business challenge concept and information technology metaphor. Call to action for corporate security measures.

While employee-related security risks are the top concern for security professionals, organizations are not taking the necessary steps to prevent negligent behavior, according to research from Experian and the Ponemon Institute.

The study, Managing Insider Risk Through Training & Culturesurveyed 600 technology leaders about negligent and malicious employee behaviors and found that more than half (55%) of companies have experienced a security incident due to employee behavior.

Companies are investing in employee training to teach them how to protect confidential information, but most of those surveyed (60%) still do not believe their employees know enough about their company’s security risks. This information is sadly not making it to C-suite executives though, as 35% of the respondents said senior management thinks employees are knowledgeable about data security risks.

“Among the many security issues facing companies today, the study emphasizes that the risk of a data breach caused by a simple employee mistake or act of negligence is driving many breaches. Unfortunately, companies continue to experience the consequences of employees either falling victim to cyberattacks or exposing information inadvertently,” said Michael Bruemmer, vice president, Experian Data Breach Resolution. “There are several steps that companies should take to better equip their employees with the tools they need to protect company data, including moving beyond simple employee education practices and shifting to a culture of security.”

Other key findings include:

  • Only 46% of companies make employee training mandatory.
  • After data breaches, most  companies (60%) are not using the opportunity to retrain employees.
  • Of the companies that do provide training, 43% offer only basic information. Less than half of all programs are covering these important programs: phishing and social engineering (49%), mobile device security (38%) and using cloud services safely (29%).
  • Research has found that incentives can encourage more positive security behaviors. Unfortunately, only 33% of companies are offering incentives. Of those who provide incentives, 19% provide a financial reward and 29% mention the behavior in performance reviews.

 



The information contained within this article was accurate as of May 25, 2016. For up-to-date
information on any of the terms, cards or offers mentioned above, visit the issuer's website.