Data Protection and Training Programs are Ineffective

published on Cybersecurity
Despite all the reports demonstrating that sophisticated cyberattacks have reached record levels, the top threat to an organization is its own employees. Milions have been spent on training programs, which serve as the first line of defense, but they have proven to be ineffective. A report, “Managing Insider Risk Through Training & Culture” by Experian and the Ponemon Institute surveyed 601 individuals in companies that have a data protection and privacy training program (DPPT) program already in place. The report found that attention to data protection and privacy is an important piece often missing from company culture.

The state of security awareness:

More than half of respondents reported that their organization were the victim of a security breach due to careless employee behavior. This suggests that companies need to establish and communicate the consequences of a data breach caused by an employee. 5 percent of respondents were unsure if their organization suffered a security incident due to a careless employee (How can they manage their risks if they don’t even know what they are?). Setting the tone starts at the top, which is why it’s critical to have all employees participate in the DPPT program.

Effacts-Blog-Data-Protection-and-Training-Programs-are-Ineffective-01.png Top concerns:

The number one security risk organizations are concerned about is employees exposing sensitive or confidential information. One way to lessen this concern is to spell out clear consequences for negligent behavior. Alongside clear consequences, DPPT programs can help reduce risk by directly addressing the security risks facing the organization. Effacts-Blog-Data-Protection-and-Training-Programs-are-Ineffective-02.png

The role of senior management:

Only 35 percent say that senior executives believe it’s a priority that employees know how data security risks affect their organization. As a result this is reflected in the company culture – employees aren’t being held accountable for failing to report a data breach and aren’t aware of the data security risks. Effacts-Blog-Data-Protection-and-Training-Programs-are-Ineffective-03.png

Employee Incentives:

The overwhelming majority (67 percent) of respondents say their organization doesn’t offer any incentives for employees who proactively protect sensitive and confidential information. Offering incentives can have a major impact on improving outcomes, because they actively influence behavior. Without incentives, employees feel less obliged to protect sensitive information and report a breach. Effacts-Blog-Data-Protection-and-Training-Programs-are-Ineffective-04.png

Program structure:

Training most often include one basic course for everyone. Unfortunately, basic courses don’t do much to ensure that employees retain what they learned. Furthermore, 55 percent of respondent said that certain employees are exempt from privacy courses. Programs that simulate real threats provide a simple way of engaging behavior. Basic courses typically covered password security, privacy laws and regulations, responding to data breach or theft and protecting paper documents. The biggest difference is that advanced programs tended to cover safe browsing, social media dangers, and installing software apps from risky sources. Effacts-Blog-Data-Protection-and-Training-Programs-are-Ineffective-05.png


The report recommends organizations create a culture that is mindful of security – that all starts with the tone from the top. Senior executives should set an example by participating in the DPPT program. Training programs should be interactive and simulate real-life situations to help integrate security into employees’ day-to-day operations. Source: Experian