We’re only human, after all.
These days many organizations do not feel confident about their ability prevent a data breach, mainly because they feel they can’t trust the humans working for them. And for good reason! Cyber criminals continue to exploit the human element, which was blamed for over 400 reported data breaches and 7.6 million+ compromised records in 2016.
Regardless of whether the employee is knowingly part of a malicious effort, or is inadvertently involved in allowing an intrusion or other form of unintended disclosure, a breach of valuable data is not what you want to have happen. Therefore, you must minimize the human impact.
Security awareness reduces breach risk.
Let’s start with a brief, but interesting foundation of background information found within the 2017 Threat Monitoring, Detection and Response Report:
- Insider threats continue to be a growing concern (51% perceived a growth in these threats over the past year) with inadvertent breaches (61%) identified as the leading cause;
- User training was identified by 57% of respondents as their leading method for combating such threats; yet
- 49% of respondents indicated that a lack of security awareness is a huge issue for defense against cyberattacks.
All kinds of effective security awareness training and education programs exist to help combat the issue of human impact, and there are more popping up every day. However, just like we often see with card accepting merchants approaching their PCI compliance, employees are often given a once a year cursory security awareness session.
In other words, we often see a “checkbox” approach to employee security awareness.
Concerned about employees’ security awareness? Ask yourself these 7 questions.
Here are some key questions to consider for making the journey from a checkbox, point-in-time security approach, to a continuous-learning-focused, security culture:
- How often do you conduct security awareness training? Is there a mechanism in place to test whether people are truly learning and retaining the concepts?
- Do your senior people go through the awareness training as well? Can you demonstrate their commitment to newcomers and others within all levels of the organization?
- Does your organization leverage a true learning management system, where the levels of training are differentiated based on how much access to sensitive information various roles involve?
- Do employees receive regular updates on recently-announced threats, as well as a review of the “oldies but goodies” that are still making the rounds?
- What are some ways you can make a secure mindset fun and engaging? For example, have you thought about having security-themed contests or organizational activities?
- How can you get people to understand the damage done by inadvertent breaches due to being lax and/or negligent?
- If your business provides third-party services to other businesses, how are you fostering a security mindset that protects the data of your clients and, in many cases, the customers of your clients?
To minimize the human impact on data security, programs must be implemented that reflect a continuous education and awareness approach. I would assert that from the top down, each of your employees must become a student of data security and live a security culture every day.