Experian Data Breach Resolution sponsored a recently released Ponemon Study entitled “Managing Insider Risk through Training & Culture.” The report is quite timely in light of all of the recent successful W-2 phishing schemes.

The report is very informative and worth the read. The highlights include that 66% of the respondents “admit employees are the weakest link in their efforts to create a strong security posture.” 55% of the respondents stated that their organization suffered a security incident of a data breach due to a malicious or negligent employee.

The top two risks cited by respondents in the study include a data breach “caused by a careless or negligent employee who exposes sensitive information or succumbs to a targeted phishing attack.” The companies also indicated that they have concerns over employee behavior that could allow malware to infiltrate their system from an insecure website or mobile device, and using unapproved cloud or mobile applications to send sensitive company information outside of the company.

Despite these concerns, the study found that only 35% of those surveyed confirmed that executives believed that data security training is a priority for the company. And only 50% believed that the training programs in place actually help change behavior. The training programs are deemed ineffective and don’t provide education on phishing and social engineering, mobile device training or the use of secure cloud services. Shockingly, only 45%  of those surveyed said their companies have mandatory training requirements.

Bottom line? Every organization is at risk (as we have continuously seen over the past year with phishing attacks) and employees continue to be one of your top risks. Training, real training that gives employees valuable data security education and tools to be vigilant during the work day while using an organization’s computer assets or mobile technology is essential in reducing the risk of data loss. Online training can be very boring and allows employees to multi-task. Live training is much more effective and fun, and mixing in personal tips with risks to the company give employees a value add that is invaluable.

Effective training will get all employees to start looking around them, finding the keys to the filing cabinets, putting sensitive documents away at night and being more aware of using encryption for emails and picking up the phone when the CEO is requesting W-2s of employees.

Effective employee training is essential for a company’s risk management program and the return on investment is invaluable.