In security, it’s often said that you are only as strong as your weakest link – be it a remote office or system that is not properly secured, or the use of unsanctioned applications or mobile devices potentially compromising sensitive information. However, more often than not, your weakest link and the cause of many security incidents is not a piece of technology at all. It’s the employees and partners relied on every day to do business.

In just the first half of this year, a number of high-profile organizations have fallen victim to employee-caused breaches, including Snapchat, Google, Federal Deposit Insurance Corp., Magnolia Health Corporation and Mercy Housing Inc. What's clear from these examples is that criminals are now targeting employees more than ever before, with attacks ranging from spear phishing emails aimed at tricking HR departments into exposing W-2 forms to embedding malware in well-disguised attachments.    

Unfortunately, these attacks and even awareness of the issue hasn’t translated into companies being more effective at addressing this potential vulnerability. According to a recent Experian Data Breach Resolution and Ponemon Institute study, which explores the link between employee negligence and breaches, 55 percent of organizations have experienced a security incident due to a malicious or negligent employee.

Further, the study found that most organizations are struggling to create effective education and employee engagement programs. As a result, 60 percent of security and privacy professionals believe employees are not knowledgeable or have no knowledge of the company’s security risks, despite all having security awareness training programs.

The lack of shored up educational employee training programs is not only a best practice issue, but also a legal risk. Statues require and regulators expect companies to have security and privacy training as part of their data hygiene. Failure to have a thoughtful and well documented program only exacerbates the risk and eventual cost exposure of an incident.

Fortunately, there are several steps security and privacy professionals can take to more effectively engage employees and create a culture of security. It can be the best investment a company can make to prevent attacks.

Enhance training programs

Data protection and privacy training (DPPT) programs, along with proper security policies and procedures, are critical to reducing insider risk and limiting the frequency and severity of data privacy events, yet most companies face a number of hurdles developing strong and effective programs. Based on Experian’s recent study, we believe there are three major ways to improve these programs.

The c-suite must set the tone

Change in behavior must start from the top. In order for security and privacy training programs to become more efficient, senior executives must participate in and emphasize the importance of taking these programs seriously. Additionally, their participation is critical from a regulator’s point of view, as security training and procedures without enforcement and tracking are neither effective nor compliant. Unfortunately, this senior level buy-in is lacking in many organizations with only 35 percent of respondents saying senior executives believe it is a priority that employees are knowledgeable about how data security risks affect their organizations. Even more concerning, many executives are not walking the walk. In fact, 29 percent of CEOs and C-level executives at companies are exempt from taking mandatory training, which not only sets a bad example for other employees, but also puts high value and sensitive information at risk due to senior leaders often being the target of attacks.

When launching training programs, having a c-suite executive communicate to all staff about the importance of the programs and the critical role employees play in protecting the company can help ensure that people take the trainings seriously.

Improve the quality of training  

The majority of companies (57 percent), only have one basic training course for all employees, which often do not cover many of the critical and emerging areas of risk. In fact, less than half of courses include training on phishing and other social engineering attacks, which are major emerging threats.

Instead of providing a single basic course, companies should explore creating a number of shorter trainings that cover a wider range of content. This approach can help ensure that security messages are more regularly front and center with employees, as well as improving retention by not overwhelming them with too much content at once.

Gamify the experience

Lastly, it’s important to make security training programs engaging and interactive. Developing or purchasing training courses that more effectively illustrate threats the company faces can be effective. For example, launching simulated phishing emails internally to employees and showing them an education message if they click on the “bad” email can serve a real life example of just how vulnerable they are to attacks. Another effective approach is creating interactive games where employees are asked to identify non-compliant behavior in a simulated office environment.

Create a culture of security

Training alone is not enough to truly change employee behavior and attitudes toward security. It requires finding ways to create a culture of security and encouraging good behavior. This means providing incentives for employees, as well as establishing clear consequences for negligent behavior.

Today, the majority of companies do not reward responsible employees for their good behavior, despite incentives being one of the most valuable, effective tools for motivating employees to improve their security posture. Companies should consider incorporating simple, yet effective incentives, like an employee recognition award or a small financial reward, which can be given to employees who report potential security concerns and are vigilant in keeping sensitive records safe. For departments that regularly handle sensitive information like human resources or finance, companies can also consider incorporating security practices into performance reviews.

Companies should also establish clear consequences for employees who demonstrate negligent behavior. Unfortunately, one-third of companies have no consequences if an employee is found to be careless or responsible for causing a breach. Given the liability of data breaches (i.e. high cost of notifying those affected, loss of customers and/or employees, litigation and fines), it’s extremely important that senior executives demonstrate that negligent behavior is highly discouraged. Consequences could include a one-on-one meeting with a superior or a member of the IT security function, or in more extreme circumstances, a reduction of salary, bonuses or incentives. 

Ultimately, establishing a strong company culture and improving training programs with the involvement and enforcement of executives will emphasize the importance of reducing the risk of a data breach or security incident, saving companies from their biggest security threat – their own employees. With time, employees can even become a security asset by detecting potential attacks and alerting the security teams so they can take action.