Current cybersecurity training programs ineffective against insider threat reality: report
By Ricci Dipshan, from Legaltech News
A survey finds discrepancies in companies’ cybersecurity training effectiveness and executive concerns over insider threats.
Becoming aware of the modern cyberthreat landscape means also becoming aware of its inherent irony. For all the talk of how sophisticated cyberattacks are rising to record levels, the number-one threat to a legal department and company is still its own employees. And while data security and privacy training is the first line of defense against negligent employee behavior, such training programs are falling short, according to “Managing Insider Risk Through Training & Culture,” a report by Experian and the Ponemon Institute.
The survey of over 600 IT professionals, C-suite executives, managers, and other high-level staff in various U.S. organizations found that slightly over half of organizations (55 percent) suffered a security incident or data breach due to malicious or negligent employee behavior. In addition, only 51 percent of respondents agreed that their organization’s data security and privacy program was effective.
Those in the legal department were considered among the most conscientious in terms of protecting data. Sixty percent of respondents cited the legal department as the most careful, behind 67 percent of those citing the compliance department, and 69 percent citing the financing and accounting department.
The report also noted that training at companies is not as comprehensive as one would think. Forty-three percent of respondents, for example, said their training program only offered one basic course, while 31 percent said they also offered advanced courses to employees with regular access to sensitive data. These courses were not offered to the entire workforce, as 55 percent of companies exempted contract workers, and 40 percent exempted part-time employees.
And even these courses fall short — only 52 percent of basic courses focus on safe internet browsing, while under half focus on phishing and social engineering (49 percent), responding to data theft (45 percent), social media dangers (39 percent), email hygiene (33 percent), and installing software and mobile apps from risky sources (19 percent).
While over 70 percent of companies offered advanced courses covering privacy laws and regulations and phishing, they still lagged behind in educating employees on social media, email, and installation best practices.
This was counter to what organization’s top concerns were regarding negligent and malicious behavior, which included unleashing malware from an insecure website or mobile device (70 percent) and violating access rights (60 percent). Slightly over half of respondent’s organizations were also concerned with the use of unapproved mobile devices or unapproved cloud or mobile apps, while a little under half also cited employees accessing company apps from insecure public Wi-Fi, and being targeted in a phishing attack as a significant worry.
“There could be several reasons for the disconnect between how companies view training and the true effectiveness of their programs. One of the major reasons in my mind is the way that many companies evaluate the success of the programs,” Michael Bruemmer, vice president of Experian Data Breach Resolution, told Legatech news.
“More often than not, success is measured by the completion rate of the training or a simple pass-fail grade on a quick quiz at the end. Only a small minority (11 percent) of companies measure the success of a program by the reduction of non-compliant behaviors or practices by employees, which are better indicators of success in reducing risk,” he added.
Organizations also did not handle employee behavior uniformly. Slightly over half of organizations have a one on one meetings with an employee whose is found to be negligent in handling data, while 45 percent formally reprimand the employee in their personal records and a third terminate the employee.
In addition, most organizations (67 percent) do not offer any incentives for employees for being proactive with data security and privacy. The most common bonuses that come along with such behavior are positive performance reviews (29 percent) and employee recognition (23 percent).
“Incentives can play a major role in improving outcomes, because they go beyond just training to actively influencing behavior,” said Bruemmer. “One simple step companies can do is provide small financial rewards to employees when they notice and anonymously report a potential security threat. For example, a phishing campaign targeted at the organization or a physical part of the office that should be more secure because it contains sensitive information. These programs can be very effective in changing behavior.”
The survey also found that 70 percent of organizations are challenged in reducing insider risks and negligent behavior due to lack of in-house expertise, while 55 percent noted their company lacks the leadership to tackle such challenges head on, and 50 percent say organizational siloes are preventing the organization from properly addressing risks. In addition, 47 percent of organization lack the funding to implementing training programs to mitigate negligent behavior.
But many organizations did not find they could rely on vendors to help them bridge their data security and privacy training shortcomings either, with one-third noting that purchased training products are not effective, while 29 percent called them somewhat effective.
Bruemmer, however, is optimistic that the future of training programs will be far more impactful than they are today.
“I think we will see continued innovation in this space in terms of how trainings will be delivered,” he said. “There are several startups focusing on this area and working to create ways to gamify security training and integrate it into employees’ regular routines. I think we are going to see more simulated tests of different attacks that target employees.”
Bruemmer added, “We will also see more interactive online trainings. For example, creating a simulated work environment where employees taking the training need to identify potential security violations at an organization.”
IMAGE: Photo: weerapatkiatdumrong/iStockphoto.com
For more on this story go to: http://www.legaltechnews.com/id=1202758280233/Current-Cybersecurity-Training-Programs-Ineffective-Against-Insider-Threat-Reality-Report-#ixzz49mK9pzlf