Avoid ‘check-the-box compliance’ with cybersecurity

The need to educate employees about cyber risk management is more important than having a compliance program, says one expert

With the workplace becoming more digitised, two recent reports showed the need for more companies to invest in training employees in data security.
 
Wells Fargo Insurance released a report that said only 7% of companies in North America believed that “their employees’ misuse of technology posed a potential threat”, said Mary Kathryn Curry in The National Law Review.
 
Another report released by the Ponemon Institute, an independent research firm measuring privacy, data protection, and information security policies, found that over the course of a year, 874 insider incidents of data breach were tallied.
 
“[Of those], 65% were caused by employee negligence, 22% by malicious employees or criminals, and about 10% by imposter fraud,” said Curry, adding that the negligence cost the company more than US$200,000 per incident and roughly US$3 million annually.
 
“Companies perceive insider threats as mostly driven by malicious employees, but the fact is that a significant portion of the risk is due to insider carelessness.”
 
Curry noted that the Ponemon report claimed that “training programs … companies have are just not very good. They are really focused on check-the-box compliance requirements to show everyone that [the] company [has] training on data protection” while Wells Fargo Insurance emphasised the need to educate employees about cyber risk management.
 
Apart from re-evaluating their training programs, the Ponemon report also recommended the use of user behaviour analytic to track, collect, and assess user data and activities online.
 
“The recommendation is to focus on visibility and transparency – not on stringent controls – and to build “a layered defense that delivers a comprehensive range of capabilities across visibility, detection, context and rapid response,” said Curry.