Even as companies add more security measures to their networks and cut down on the number of successful cyber attacks, they’re still searching for better ways to get their employees invested in online safety.

And for good reason.

29% of U.S. executives polled said that that breaches caused by insiders result in more damage than outside hackers, according to the 2017 U.S. State of Cyber Crime report, produced by CSO in conjunction with the U.S. Secret Service and CERT at Carnegie Mellon University.

What’s more, most incidents caused by insiders – at least 47 percent -- are triggered by an “innocent employee who falls for a phishing or hacker scam,” the report found.

“More targeted phishing attacks are happening now than ever before, and they’re more successful because (the phishers) are getting better,” said Aaron Cohen, director of cyber skills development for Symantec.

Although most companies take the time to train employees on the dangers of an improperly clicked link or a precisely targeted piece of spam, this remains the proverbial work in progress.

CEOs are now taking more definitive steps to secure their companies’ data. They’re asking for more frequent updates from their IT and security departments, for both themselves and their boards of directors. In 2017, 20% of boards received monthly reports from their CSOs, up from 16 percent in 2015, according to the cyber crime report. However, 29 percent still receive no reports at all.

In the workplace, they’re adding new measures such as two-factor identification for remote logins, or asking for more audits of third-party vendors or providers who may be vulnerable to attack. Health care-related companies, for example, need to make sure that every vendor they work with understands how to protect patient privacy and follow HIPAA regulations, said Bob Bragdon, senior vice president and publisher of CSO magazine.

C-level executives are also keenly aware of the dangers. “They are the privileged users with the access to the most privileged information,” making them the juiciest targets for hackers, said Bragdon.

When breaches expose the personal information of customers, the ramifications can reach throughout the organization and lead to resignations or dismissals.

“The C-suite … has gotten more serious in the last year and a half,” Bragdon said.

Making it Personal

Yet at the same time, many rank-and-file employees still remain confused about their roles and responsibilities in a more security-conscious setting, according to Mark Rasch, a Washington, D.C.-based computer security and privacy expert. “You’ve got to give them incentives, not just to not do the wrong thing, but to do the right thing.”

One suggestion: Make it personal - especially for those employees who have not personally suffered through the experience of their personal information getting exposed due to a breach.

“The correlation between their personal lives and their work lives needs to be exploited more by their IT departments or by the people providing that (cyber security) training, making it relevant,” Cohen said. “Make the fact that their credit card gets taken relevant in their work life.”

All the more reason why it’s up to management to find ways to ensure their employees don’t fall victim to complacency. Passing an online training quiz is only part of the drill and companies need to look for other ways to reinforce security consciousness.

One way to drive home the message is to reward employees who report attacks.

For example, companies can consider offering special incentives for employees who comply with cyber security measures – similar to the bounties that IT specialists receive for finding bugs and holes in a company’s network.

But security practioners also say that carrots need to be mixed with sticks.

Workers who can’t – or won’t comply with security protocols risk losing their employment. If those people keep failing security tests and training programs, organizations need to weigh the risks involved in keeping them on staff. Because in the end, incentives or no, training or not, the employee remains the last line of defense against cyber attacks.

“A lot of it falls to the individual or the user to just be more aware of what they’re either clicking on or responding to,” said Cohen.