Cybersecurity Training Failing to Tackle Insider Threat

Posted By Steve Alder on May 27, 2016

A recent Ponemon Institute/Experian study – Managing Insider Risk Through Training & Culture – has shown that companies are failing to provide adequate cybersecurity training to prevent negligent behavior by employees and to reduce the risk of an insider data breach.

For the latest study, over 600 individuals from a wide range of organizations were questioned about their cybersecurity training programs. Respondents included C-suite executives, managers, and IT professionals from companies that had a data protection and privacy training (DPPT) program in place.

The study revealed that 55% of companies have experienced a data breach in the past that was caused by employee negligence or human error. When asked about the risk of a data breach as a result of negligence or employee error the majority of companies were aware of the risk.

66% of respondents said they believed employees are the weakest link in the security chain, yet more than half of respondents said their cybersecurity training programs were not effective.

When asked about training programs and employees knowledge of security risks, 60% of respondents said their staff members are not knowledgeable or have no knowledge of the security risks faced by their company. Even when a data breach occurs, 60% of organizations said that it is not mandatory for employees to retake cybersecurity training courses, and a third of companies did not punish employees for negligent behavior.

Cybersecurity Training is Insufficient to the Most Common Causes of Data Breaches

The study also showed that at many companies it is not mandatory for all staff to participate in cybersecurity training programs. Fewer than half of companies (45%) provide cybersecurity training to all employees in the organization, and 43% of companies only offer training on basic cybersecurity.

Even some of the biggest risks are not being addressed in these training courses. Fewer than half of respondents said their courses involved training to avoid phishing attacks and social engineering scams. Only 52% of basic courses included training on safe Internet browsing, 39% explained the dangers of social media, 33% covered email hygiene, and just 19% covered shadow IT and the risks from downloading mobile apps to devices from potentially risky sources.

There are number of reasons why training programs are failing. The main two problems were a lack of in house expertise (70%) and a lack of internal leadership and ownership (50%). Budgetary constraints were also cited as a barrier by 47% of respondents, while 29% said the C-suite had not bought into the need to provide cybersecurity training to employees to reduce the risk of a data breach. Only 35% of senior managers said improving employees’ knowledge of data security risks was a priority for their company, even though training can greatly reduce the risk of a data breach.

According to the vice president of Experian Data Breach Resolution, Michael Bruemmer, “There are several steps that companies should take to better equip their employees with the tools they need to protect company data, including moving beyond simple employee education practices and shifting to a culture of security.”

It should be noted that in the healthcare sector, staff are mandated to receive HIPAA training.