It is disheartening to see how the end-user is being managed when it comes to combating cyber security threats, suggests Amy Baker, vice president of marketing for Wombat Security Technologies, Inc.
“Insider threats are widely discussed and well-recognized, so it stands to reason that organizations would be prioritizing these issues and attacking them head on,” Baker maintains, citing findings from a recent report released by Experian Data Breach Resolution and Ponemon Institute.
The report, Managing Insider Risk through Training & Culture, notes that although organizations acknowledge insider risk continues to be a significant challenge on the cyber security front, employees are not being provided the necessary training to do their parts to help reduce risks.
Although care in managing the end-user is needed, Baker suggests, “the results from the Ponemon study seem to indicate that is not the case.” The report is based on a survey of 601 individuals in companies with a data protection and privacy training program and who are knowledgeable about the program.
Survey results show that 66% of respondents report feeling that employees are the weakest link in the security chain, while 55% of respondents indicate their organization had suffered a security incident or data breach as the result of negligent or malicious end-user behaviours.
Baker points to several findings that are of concern:
only 35% of respondents say their senior executives have made end-user security awareness and training a priority;
60% report their employees are not knowledgeable or have no knowledge of the company’s security risks; and
less than half, 49%, indicate they teach employees about phishing and social engineering attacks.
Baker suggests the results “are particularly troubling given that each respondent’s organization is using some level of data protection and privacy training,” notes the Wombat Security statement.
That being the case, organizations need to enhance their approach to cyber security education. “End-users can be a valuable resource. Not only can employees help block external attacks, they can also be eyes and ears on the inside, helping to identify negligent behaviors and potential malicious internal actors,” the statement notes.
A continuous training approach needs to be implemented that keeps security top-of-mind year round and allows employees to cover multiple topics in “digestible” chunks.
It is also important for all employee segments (including contract and part-time workers) to be involved in the training. “Every connected employee is a potential point of entry for attackers, and the C-suite has been increasingly targeted.”
In addition, Wombat Security recommends considering using gamification to make security awareness and training programs more engaging and rewarding for end-users.
“Employees and other insiders inadvertently exposing sensitive or confidential information is a nightmare scenario for companies,” notes the Ponemon report. But that risk persists despite the millions of dollars spent on investments in employee training and other efforts to reduce careless behaviour in handling sensitive and confidential information, the report adds.