Despite studies indicating that data security is a top concern for executives and corporate boards — a development we previously blogged about here — barely half of employees are familiar with their company’s information security policies, according to a survey by Forrester Research.  The report explains, “only 56 percent of information workers in North America and Europe say that they are aware of their organisation’s current security policies.” 

This lack of awareness and employee training undoubtedly contributes to the ongoing problem of data breaches, many of which are caused by employee carelessness.  According to the same Forrester study, 31% of data breaches are attributable to simple loss or theft, such as employees losing laptops or USB drives; another 27% are caused by employees inadvertently misusing corporate assets.  A Ponemon Institute survey of 49 U.S. companies similarly found that negligent insiders were the root cause of 39% of data breaches studied. 

The Forrester report and similar surveys have found other surprisingly common data security weaknesses:

  • Nearly a quarter (23%) of the organizations in the Forrester study have not implemented any form of mobile data protection. 
  • Although 77% of U.S. organizations in a Ponemon Institute survey claimed to have a significant or very significant commitment to risk-based security management, less than half (46%) have actually implemented any risk management program activities. 
  • In a survey of Fortune 2000 companies, only 33% of corporate boards were actively addressing computer and information security. 

This last point is particularly notable, because directors and officers’ involvement in cyber risk management is becoming an increasingly important issue for shareholders and policymakers.  On Monday, a group of Apple shareholders filed a shareholder proposal that would require Apple’s Board of Directors to publish a report explaining how the Board is overseeing privacy and data security risks.  As we noted here, Senator Rockefeller recently requested cybersecurity information from the CEOs of Fortune 500 companies.  In August, following up on a guidance document released last year, the SEC pushed six companies to improve the cybersecurity disclosures in their SEC filings.