Employee Training to Reduce Cybersecurity Breaches Underused

By Allen Smith January 8, 2016

Fewer than half of in-house counsel (45 percent) said that their companies have mandatory training for employees on how to prevent cybersecurity breaches, found the Association of Corporate Counsel (ACC) Foundation.

The ACC, an association serving the needs of more than 40,000 corporate lawyers in 85 countries, published The State of Cybersecurity Report on Dec. 9, 2015. The report reflects data from a survey of 1,015 responding corporate general counsels.

“HR has a tremendous opportunity” to educate employees about cybersecurity, and to design policies that support legal, financial and information technology, said Amar Sarwal, vice president and chief legal strategist for ACC. “HR can be right at the center of this.”

Organizational policies related to cybersecurity include ones on:

  • Social media.
  • Document retention.
  • Employee manual acceptance.
  • Internet privacy.
  • Access management.
  • Bring-your-own-device.

Data Breach Causes

Nearly one third of respondents (31 percent) had worked at a company where a data breach had occurred. Of those surveyed, the incident happened because of:

  • Employee error—24 percent.
  • Inside job—15 percent.
  • Phishing—12 percent.
  • Access through a third party—12 percent.
  • Lost laptop or device—9 percent.
  • Malware—7 percent.

Employee Training

An important step to reduce a company’s risk of a cybersecurity breach is employee training, but this isn’t yet prevalent.

One in three in-house counsel said that their company tracks attendance for mandatory training as a means to evaluate preparedness at the employee level; 19 percent test knowledge acquired during mandatory training. Mock security events are conducted at just 17 percent of respondent companies.

“Training employees on company security policy when onboarding or annual training is not enough,” said Stu Sjouwerman, CEO of KnowBe4, maker of a security awareness training and simulated phishing platform. “To be most effective, use anti-phishing tools to frequently test employees on a variety of types of subjects and times, then follow up with remedial training for anyone who fails.”

He also recommended that employers:

  • Change administrative passwords frequently.
  • Limit access to information on a need-to-use basis.
  • Limit who gets access to sensitive information.
  • Institute multifactor authentication to reduce the chances of unauthorized access and more-easily identify who is accessing information.

He said training should be “engaging and effective. It should be something employees feel nicely challenged by but not intimidated [by]. Offer rewards and/or acknowledgments for employees who consistently pass mock phishing tests or spot real attempts. In this day and age, security should be part of the corporate culture … [I]n the end, the best security you have is trained employees that are on their toes with security top of mind.”

Lawyers’ Worries

In-house counsels’ most immediate concerns related to data breaches were, in order of importance:

  • Damage to reputation/brand.
  • Loss of proprietary information.
  • Economic damage.
  • Government/regulatory action.
  • Business continuity.
  • Litigation.
  • What members of the board of directors think.
  • Executive liability.
  • Preservation of lawyer-client privilege.
  • Media coverage.
  • Shareholder activity.

The Center for Strategic and International Studies estimated in June 2014 that the annual cost to the global economy from cybercrime exceeds $400 billion.

Cybersecurity Insurance

Cybersecurity insurance is becoming common with 64 percent of responding lawyers in the United States saying their company is insured, and 26 percent of responding in-house counsel expecting their company to increase cybersecurity coverage over the next year. However, a majority (58 percent) said they will maintain their coverage as it is now.

There was much dissatisfaction with cybersecurity insurance reported, with 70 percent of respondents who had a data breach responding that the insurance did not cover the damages created by the breach.

Only 13 percent of respondents said they are extremely confident they have the right coverage for a cybersecurity breach.

Allen Smith, J.D., is the manager of workplace law content for SHRM. Follow him @SHRMlegaleditor.



HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.