In a US study by Experian and Ponemon Institute earlier this year, 55% of the polled companies experienced a security incident due to a malicious or negligent employee despite already having a a data protection and privacy training program in place. 60% of respondents believed that their employees were not knowledgeable or had no knowledge of the company’s security risks. Of an even greater concern was the finding that only 35% believed that their senior management sufficiently cared if employees were knowledgeable about how data security risks affected their organization.
Here are some of the other highlights of the study:
- Only 46% of surveyed companies made training mandatory for all employees.
- 60% of companies did not require employees to retake security training courses following a data breach.
- 43% of companies provided only one basic course for all employees, missing a number of large risks that lead to data breaches.
- Out of the basic courses, only 49% covered phishing and social engineering attacks, 38% covered mobile security and only 29% covered using cloud services safely.
- 67% provided no incentives to employees for being proactive in protecting sensitive information or reporting potential issues.
- One-third of companies have no consequences if an employee is found to be negligent or responsible for causing a data breach.
Although the study covered US companies, there is no reason to believe that the situation in the UK would be any better.
Does your organisation provide regular and mandatory data protection, privacy and cyber-awareness training to all employees?