More than 50% of all organizations that have at one point experienced a data breach have attributed this to negligence on the part of an employee, revealed in a recent survey entitled, “Managing Insider Risk through Training & Culture.”
Of the 601 data protection experts interviewed, 66% of them asserted that employees have posed the biggest challenge in their effort to improve the security of the companies they work for.
However, many companies have yet to adequately train their employees despite these security challenges.
In a survey conducted on senior executives of big corporations, just 35% feel it necessary to educate their employees about security risks and how it affects their organization. 60% believe that their employees are ignorant of security risks.
Michael Bruemmer, Vice President at Experian Data Breach Resolution believes employee related security risk is the major concern confronting companies. According to reports presented by the research firm, 80% of all data breaches were as a result of negligence on the part of employees.
Most of the organizations that took part in the survey had training programs for their employees – yet it turned out the content of these trainings were too shallow, failing to achieve their intended objectives. Just 50% of these companies saw the need to properly train their employees on non-compliant behaviors.
43% of those that responded were of the view that training for employees only consist of one basic course. However, these courses haven’t been effective enough, failing to adequately train employees on the risk of data breach. 49% of the survey participants asserted that they are not adequately trained on social engineering attack and phishing by their respective organization. 38% made it known that they were only trained on mobile device security, while 29% acknowledged only being trained on cloud services.
About 45%, less than half of the participant said their organizations made training compulsory for them. Though made mandatory, some individuals are given the freedom to be exempted from the training. To illustrate this, 29% of the respondents made it known their organization’s CEO and senior executives barely participate in cybersecurity training.
It has been found that most companies fail to pursue employee failures or marginal passes, following cybersecurity training – instead providing the right answers to failed questions.
Data protection has to start from the top
Employees can only become serious about cybersecurity and data protection when top executives and CEOs become serious about it. It is about time companies included Cybersecurity as part of its top five priorities. For improved efficiency, it is needful for the chief information security officer, to report directly to the CEO, or the executive board.
In the words of Bruemmer, “Companies and organizations must make data protection and cybersecurity their topmost priority. He went further to assert that 29% of cybersecurity experts believe the nonchalant attitude of senior executives to cybersecurity has been the major reason behind inefficient training.
Considering the high cost of addressing data breaches, which is somewhere north of $6.2 million for each incident, it is clearly better to proactively address these risks beforehand.
For many organizations, proactively addressing these risks imposes changes to organizational culture. For example, 67% of the survey participants say they are never rewarded by their organizations for taking proactive steps in preventing data breaches and cyber-attack.
It is important for companies to incentivize their employees when they take proactive steps in reporting security issues, or when they take actions in protecting confidential reports and information. To engage employees, companies often “gamify” cybersecurity training, addressing the apathy associated with online learning.
Some cybersecurity experts believe that employees can be a company’s greatest cybersecurity asset and liability. In a report presented by KPMG LLP, after conducting a survey on cybersecurity experts, it was revealed that people are an organization’s weakest link in curtailing cyberattack.
The absence of accountability has been identified by most of the report as being responsible for cybersecurity threats encountered by companies and organizations, with some respondents saying they do not know who bears the responsibility of cybersecurity lies on in their organizations. As it stands now, some executives are yet to understand how data breach threats affect their organizations, even after hackers stole the 22 million personal information from the database of the Office of Personal Management databases, just last year.