Ricci Dipshan, Legaltech News
A survey finds discrepancies in companies’
cybersecurity training effectiveness and executive concerns over insider
threats.
Becoming aware of the modern cyberthreat landscape means also becoming aware of its inherent irony. For all the talk of how sophisticated cyberattacks are rising to record levels, the number-one threat to a legal department and company is still its own employees. And while data security and privacy training is the first line of defense against negligent employee behavior, such training programs are falling short, according to “Managing Insider Risk Through Training & Culture,” a report by Experian and the Ponemon Institute.
Becoming aware of the modern cyberthreat landscape means also becoming aware of its inherent irony. For all the talk of how sophisticated cyberattacks are rising to record levels, the number-one threat to a legal department and company is still its own employees. And while data security and privacy training is the first line of defense against negligent employee behavior, such training programs are falling short, according to “Managing Insider Risk Through Training & Culture,” a report by Experian and the Ponemon Institute.
The survey of over 600 IT professionals, C-suite
executives, managers, and other high-level staff in various U.S. organizations
found that slightly over half of organizations (55 percent) suffered a security
incident or data breach due to malicious or negligent employee behavior. In
addition, only 51 percent of respondents agreed that their organization’s data
security and privacy program was effective.
Those in the legal department were considered
among the most conscientious in terms of protecting data. Sixty percent of
respondents cited the legal department as the most careful, behind 67 percent
of those citing the compliance department, and 69 percent citing the financing
and accounting department.
The report also noted that training at
companies is not as comprehensive as one would think. Forty-three percent of
respondents, for example, said their training program only offered one basic
course, while 31 percent said they also offered advanced courses to employees
with regular access to sensitive data. These courses were not offered to the
entire workforce, as 55 percent of companies exempted contract
workers, and 40 percent exempted part-time employees.
And even these courses fall short — only 52
percent of basic courses focus on safe internet browsing, while under half
focus on phishing and social engineering (49 percent), responding to data theft
(45 percent), social media dangers (39 percent), email hygiene (33 percent),
and installing software and mobile apps from risky sources (19 percent).
While over 70 percent of companies offered
advanced courses covering privacy laws and regulations and phishing, they still
lagged behind in educating employees on social media, email, and installation
best practices.
This was counter to what organization’s top
concerns were regarding negligent and malicious behavior, which included
unleashing malware from an insecure website or mobile device (70 percent) and
violating access rights (60 percent). Slightly over half of respondent’s
organizations were also concerned with the use of unapproved mobile devices or
unapproved cloud or mobile apps, while a little under half also cited employees
accessing company apps from insecure public Wi-Fi, and being targeted in a
phishing attack as a significant worry.
“There could be several reasons for the
disconnect between how companies view training and the true effectiveness of
their programs. One of the major reasons in my mind is the way that many
companies evaluate the success of the programs,” Michael Bruemmer, vice president
of Consumer Protection at Experian Consumer Services, told Legatech news.
“More often than not, success is measured by the
completion rate of the training or a simple pass-fail grade on a quick quiz at
the end. Only a small minority (11 percent) of companies measure the success of
a program by the reduction of non-compliant behaviors or practices by
employees, which are better indicators of success in reducing risk,” he added.
Organizations also did not handle employee
behavior uniformly. Slightly over half of organizations have a one on one
meetings with an employee whose is found to be negligent in handling data,
while 45 percent formally reprimand the employee in their personal records and
a third terminate the employee.
In addition, most organizations (67 percent) do
not offer any incentives for employees for being proactive with data security
and privacy. The most common bonuses that come along with such behavior are
positive performance reviews (29 percent) and employee recognition (23 percent).
“Incentives can play a major role in improving
outcomes, because they go beyond just training to actively influencing
behavior,” said Bruemmer. “One simple step companies can do is provide small
financial rewards to employees when they notice and anonymously report a
potential security threat. For example, a phishing campaign targeted at the
organization or a physical part of the office that should be more secure
because it contains sensitive information. These programs can be very effective
in changing behavior.”
The survey also found that 70 percent of
organizations are challenged in reducing insider risks and negligent behavior
due to lack of in-house expertise, while 55 percent noted their company lacks
the leadership to tackle such challenges head on, and 50 percent say
organizational siloes are preventing the organization from properly addressing
risks. In addition, 47 percent of organization lack the funding to implementing
training programs to mitigate negligent behavior.
But many organizations did not find they could
rely on vendors to help them bridge their data security and privacy training
shortcomings either, with one-third noting that purchased training products are
not effective, while 29 percent called them somewhat effective.
Bruemmer, however, is optimistic that the future
of training programs will be far more impactful than they are today.
“I think we will see continued innovation in
this space in terms of how trainings will be delivered,” he said. “There are
several startups focusing on this area and working to create ways to gamify
security training and integrate it into employees’ regular routines. I think we
are going to see more simulated tests of different attacks that target
employees.”
Bruemmer added, “We will also see more
interactive online trainings. For example, creating a simulated work
environment where employees taking the training need to identify potential
security violations at an organization.”
No comments:
Post a Comment