Experian Data Breach Resolution and Ponemon Institute study reveals organizations are not doing enough to prevent employee-caused security incidents

New study finds that 60 percent of companies believe that their employees are not knowledgeable about the company’s security risks

Costa Mesa, Calif., May 23, 2016 — Experian Data Breach Resolution and Ponemon Institute today released an industry study revealing that while employee-related security risks are the number-one concern for security professionals, organizations are not taking adequate steps to prevent negligent employee behavior. The study, Managing Insider Risk Through Training & Culture, asked more than 600 individuals at companies that currently have a data protection and privacy training program to weigh in on the topic of negligent and malicious employee behaviors, as well as the consequences of poor security conduct and the effectiveness of training.

The study found that more than half (55 percent) of companies surveyed have already experienced a security incident due to a malicious or negligent employee. However, despite investment in employee training and other efforts to reduce careless behavior in the handling of sensitive and confidential information, the majority of companies do not believe that their employees are knowledgeable about the company’s security risks.

Alarmingly, concern around the issue of employee security risks is not necessarily making companies any more effective at addressing it. Sixty percent of companies surveyed believe that their employees are not knowledgeable or have no knowledge of the company’s security risks. Additionally, the study showed a lack of concern by C-suite executives. Only 35 percent of respondents say senior management believes it is a priority that employees are knowledgeable about how data security risks affect their organization. This illustrates a clear gap between companies’ awareness of the issues caused by employee negligence and their actions.

“Among the many security issues facing companies today, the study emphasizes that the risk of a data breach caused by a simple employee mistake or act of negligence is driving many breaches. Unfortunately, companies continue to experience the consequences of employees either falling victim to cyberattacks or exposing information inadvertently,” said Michael Bruemmer, vice president, Experian Data Breach Resolution. “There are several steps that companies should take to better equip their employees with the tools they need to protect company data, including moving beyond simple employee education practices and shifting to a culture of security.”

Additional key findings from the study:

Companies are missing a valuable learning opportunity
• Only 46 percent of surveyed companies make training mandatory for all employees.
• When companies experience a data breach, they have a unique opportunity to re-engage employees around protecting company data. Unfortunately, 60 percent of companies do not require employees to retake security training courses following a data breach, missing a key opportunity to emphasize security best practices.

Employee training programs currently fall short
• The effectiveness of training programs varies greatly, and many are not extensive enough to drive significant behavioral change. Only half of companies agree or strongly agree that current employee education programs actually reduce noncompliant behaviors.
• Many training programs provide only basic information and are not delivered on a regular basis. Forty-three percent of companies provide only one basic course for all employees, and often these courses don’t cover a number of large risks that lead to data breaches. These critical areas are covered in less than half of basic programs:
o Phishing and social engineering attacks (49 percent)
o Mobile device security (38 percent)
o Using cloud services safely (29 percent)

Organizations need to foster a culture of security
• The study found that companies are not currently implementing a number of simple incentives that could encourage positive security behaviors. Of the companies surveyed, 67 percent provide no incentives to employees for being proactive in protecting sensitive information or reporting potential issues.
• Among those that do provide incentives, only 19 percent provide a financial reward and only 29 percent mention security in performance reviews. Furthermore, the study found that one-third of companies have no consequences if an employee is found to be negligent or responsible for causing a data breach.

To access the full complimentary report, Managing Insider Risk Through Training & Culture, visit http://bit.ly/24VNeTM

Additional data breach resources, including Webinars, white papers and videos, can be found at http://www.experian.com/databreach. Read the Experian Data Breach Resolution blog by visiting http://www.experian.com/dbblog.

Jocelyn Kemly
1 206 664 8616

Sandra A. Bernardo, APR
Experian Data Breach Resolution
1 949 567 3676

About Experian Data Breach Resolution
Experian Data Breach Resolution, powered by the nation’s largest credit bureau, is a leader in helping businesses prepare for a data breach and mitigate consumer risk following breach incidents. With more than a decade of experience, Experian Data Breach Resolution has successfully serviced some of the largest and highest-profile data breaches in history. The group offers swift and effective incident management, notification, call center support and fraud-resolution services while serving millions of affected consumers with proven credit and identity protection products. In 2015, Experian Data Breach Resolution was named a market leader in the Forrester Research, Inc., report on data breach services. Experian Data Breach Resolution is active with the International Association of Privacy Professionals, the Health Care Compliance Association, the Ponemon Institute RIM Council and is a founding member of the Medical Identity Fraud Alliance. For more information, visit http://www.experian.com/databreach and follow us on Twitter @Experian_DBR.

About Experian
We are the leading global information services company, providing data and analytical tools to our clients around the world. We help businesses to manage credit risk, prevent fraud, target marketing offers and automate decision making. We also help people to check their credit report and credit score and protect against identity theft. In 2015, we were named one of the “World’s Most Innovative Companies” by Forbes magazine.

We employ approximately 17,000 people in 37 countries and our corporate headquarters are in Dublin, Ireland, with operational headquarters in Nottingham, UK; California, US; and São Paulo, Brazil.

Experian plc is listed on the London Stock Exchange (EXPN) and is a constituent of the FTSE 100 index. Total revenue for the year ended March 31, 2016, was US$4.6 billion.

To find out more about our company, please visit http://www.experianplc.com or watch our documentary, “Inside Experian.”

Experian and the Experian marks used herein are trademarks or registered trademarks of Experian Information Solutions, Inc. Other product and company names mentioned herein are the property of their respective owners.