Training News

Untrained Employees Put Company Data at Risk

In yesterday’s Advisor, we presented results from The Cybersecurity Risk to Knowledge Assets study from Kilpatrick Townsend & Stockton and Ponemon Institute. Today we discuss the rest of the findings, including how untrained or careless employees can be a big part of the cybersecurity problem.

  • The cost is high, and it may not be covered. The average cost to remediate attacks against knowledge assets in the past 12 months was $5.4 million, with nearly 7 out of 10 respondents saying that the maximum cost estimates for such attacks would top more than $100 million and almost 5 out of 10 assessing the cost at more than $250 million.
    • On average, only 35% of the losses resulting from the theft of knowledge assets are believed by respondents to be covered by their company’s current insurance.
  • Careless employees and unchecked cloud providers are key risk areas. The most likely root cause of a data breach involving knowledge assets is the careless employee, but employee access to knowledge assets is not often adequately controlled. 50% of respondents replied that both privileged and ordinary users have access to the company’s knowledge assets.
    • Likewise, 63% of respondents state that their company stores knowledge assets in the cloud, but only 33% say their companies carefully vet the cloud providers storing those assets.


“In the data classification schemes we have helped create over the years, we have often seen companies identify their most essential knowledge assets, and then face the fact that—until that moment—they have provided no special cyber or any other protection for those assets commensurate with their importance,” said Jon Neiditz, coleader, Kilpatrick Townsend Cybersecurity, Privacy and Data Governance Practice. “For our clients who invent, we encourage them not to ‘leave knowledge assets on the table’—to choose between, for example, patent, copyright, trade secret, and/or contractual protections (including in open source) and then arrange for cybersecurity and insurance protection accordingly.”

“By focusing on the application of good cybersecurity risk management principles to prioritized knowledge assets, this research breaks new ground for boards of directors and organizational leaders in fields such as information security, legal, audit, risk management, compliance, IT, intellectual property, privacy, human resources, and procurement. The importance to chief privacy officers, for example, is evident from non-notice-triggering customer information being respondents’ highest-valued knowledge asset across all industries. To all organizational leaders, the study offers a call to action and a set of arguments justifying action while also providing an ongoing chronicle of successful and unsuccessful practices and programs,” Neiditz added.

“Companies face a serious challenge in the protection of their knowledge assets. The good news is there are steps to take to reduce the risk,” said Larry Ponemon, PhD, chairman and founder, Ponemon Institute. “First of all, understand the knowledge assets critical to your company and ensure they are secured. Make sure the protection of knowledge assets, especially when sharing with third parties, is an integral part of your security strategy, including incident response plans. To address the employee negligence problem, ensure training programs specifically address employee negligence when handling sensitive and high value data.”

For a copy of the executive summary and full report, please click here.