In-brief: companies are doing a poor job of educating employees to prevent inadvertent data breaches and spot malicious insider activity, despite the stakes.
“Rarely is the question asked: ‘is our children learning?'” President George Bush famously observed. The same, ironic observation might be made about employees and the question of data breaches and insider threats.
The answer to that question, according to a survey by Ponemon Institute and funded by the credit monitoring firm Experian, is apparently “no.” To the contrary: companies are doing a poor job of educating employees to prevent inadvertent data breaches and spot malicious insider activity, despite the stakes.
The survey, a sampling of some 600 surveys by individuals in companies with a data protection and privacy training programs, found that employees at companies have a ready awareness of the role that negligent or malicious behavior by their own employees, but feel that their employer doesn’t do an adequate job of educating staff and providing them with the knowledge and preparation to prevent such breaches.
Those surveyed identified employee carelessness or malicious insiders as the top risk to their organization. Further: more than half of the surveyed companies had experienced a data breach due to a malicious or negligent employee action.
[Read other Security Ledger coverage of data breaches.]
But surveyed employees identified a number of obstacles to making their organization better defended against such risks. Organizational issues – a lack of in-house leadership, turf issues or inadequate budget made it difficult for their organization to learn from the experience and reduce the risk to the organization in the future.
Further, training programs to promote data breach awareness were inadequate: lacking education about phishing attacks, the threat posed by cloud based services and threats to mobile devices. Employees who err or violate company policies regarding data protection rarely face consequences, the study revealed.
The most common type of follow-up with the employee is a one-on-one meeting with a superior. Only 16 percent of respondents say the employee’s salary would be reduced and 33 percent say the employee would be terminated as a result.
Most important is a lack of incentives for employees to do the right thing. Sixty seven percent of respondents say their organizations does not provide incentives to employees for being proactive in protecting sensitive information or reporting potential issues. Only 19 percent of respondents say their organizations provide a financial reward for such behavior. Fewer than a third of respondents said such behavior affected their performance reviews.
The Ponemon study recommended that companies double down on employee training: using “gamification” to make it more engaging and fun and using both incentives for behaviors that protect data and disincentives for casual or insecure behavior.