Concern that an employee will trigger a data breach remains the enterprise’s top security fear. Yet, a study suggests, few corporations are effectively managing this risk.
This assumption comes from a Ponemon Institute survey of 601 individuals in companies that have a data protection and privacy training who are knowledgeable about their employer’s security program. The Institute is part of the security consulting firm Experian Data Breach Resolution.
What the study found was that, 55 percent of these companies have experienced a significant security breach, and 60 percent of respondents said their employees are essentially clueless about security risks. Yet just 35 percent agreed that their senior management team “believes it is a priority that employees are knowledgeable about how data security risks affect their organization.”
Conclusion? “Concern around the issue of employee security risks is not necessarily making companies any more effective at addressing it,” Experian says. “Additionally, the study showed a lack of concern by C-suite executives. This illustrates a clear gap between companies' awareness of the issues caused by employee negligence and their actions.”
Additional key findings from the study:
-
46 percent of surveyed companies make training mandatory for all employees;
-
60 percent of companies do not require employees to retake security training courses following a data breach;
-
Only half of companies agree or strongly agree that current employee education programs actually reduce noncompliant behaviors;
-
43 percent of companies provide only one basic course for all employees, and often these courses don't cover a number of large risks that lead to data breaches.
Recommended For You
The gaps identified by the study in corporate security training programs further underscore the extent of the risk most companies are taking. The following basic security risk areas are not covered in more than half of basic programs:
-
Phishing and social engineering attacks (49 percent)
-
Mobile device security (38 percent)
-
Using cloud services safely (29 percent)
Further, companies aren’t focused on making employees care about security risks. Two-thirds offer absolutely no incentives to employees “for being proactive in protecting sensitive information or reporting potential issues.” Financial rewards are offered by just 19 percent, and only 29 percent mention security in performance reviews. Perhaps even worse, Experian says, employees face no consequences for triggering a break at a third of the companies surveyed.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Dan Cook
Dan Cook is a journalist and communications consultant based in Portland, OR. During his journalism career he has been a reporter and editor for a variety of media companies, including American Lawyer Media, BusinessWeek, Newhouse Newspapers, Knight-Ridder, Time Inc., and Reuters. He specializes in health care and insurance related coverage for BenefitsPRO.
