Despite data breaches, many employers skip cyber risk training

A recent Ponemon Institute L.L.C. survey shows that many employers are not making data protection and privacy training mandatory.

Although more than half of respondents say their organization has had a data breach caused by a malicious or negligent employee, less than half make data protection and privacy training mandatory, according to a survey report issued Monday by the Ponemon Institute L.L.C.

The survey of 601 respondents, which was conducted in April, found that while 55% believe their organization has had such a security breach, just 45% make training mandatory for employees.

And even when mandatory, 29% of respondents say their CEO or C-suite executives are not required to take the course, according to the survey by the Traverse City, Michigan-based data security research firm.

“Managing Insider Risk through Training & Culture” was sponsored by Experian Data Breach Resolution, a unit of Costa Mesa, California-based Experian Information Solutions Inc.

The report says also even when there is training, there are “critical areas that are often ignored.” A total of 49%, for instance, say the course includes phishing and social engineering attacks, while 36% say it includes mobile device security and 29% say the course includes the secure use of cloud services.

In addition, 67% of respondents say their organizations do not provide incentives to employees for being proactive in protecting sensitive information or reporting potential issues, among other survey findings.