Skip to content ↓ | Skip to navigation ↓

A recent report from Forrester titled “Understand the State of Data Security and Privacy” indicates that more than one-third of all reported data breaches involved an insider, whether maliciously or errant data handling.

Key to the findings are the fact that only 57% of employees said they were familiar with their company’s security policies, and 58% had received no training on security or how to properly handle sensitive data.

“This report states that 36 percent of attacks were a result of inadvertent misuse of data by employees, which indicates we have a lot of work to do to create an informed user community inside our enterprises,” said Dwayne Melancon, CTO of Tripwire.

“Policies are just expectations until employees are given the means and oversight to enforce your corporate policies. If they don’t know any better, you can count on them doing something inappropriate with your data, regardless of their intent.”

While policies may be in place at an organization, awareness and training may be lacking, making the policy ineffectual, according to research analyst Adrian Davis.

“With a policy, you would be lucky to see anything as most people don’t get it. Having a policy is not enough, you have got to do something with it,” Davis said.

Comprehensive security training programs that include periodic retraining and establishing a system where security awareness metrics are set up to produce a “competitive” environment between unit managers, according to Melancon.

“One way to make this cultural emphasis stronger is to provide reports on the retention scores of employees, but organize it according to the business executives to whom they report. This ‘improvement by competition’ approach can help the cultural shift happen more quickly – after all, no executive likes to be at the bottom of the list,” he said.