There’s a big difference between knowing about strong security practices and actually putting those practices into active use. When it comes to data security, we all know that people are the largest factor leading to data breaches. Earlier this year, the Verizon DBIR tied 90% of all security incidents back to “people,” whether mistakes, phishing, bad behaviour, or lost stuff. We’ve talked about a 3-pronged approach to mitigate security risks, particularly those introduced by this “enemy within,” including Education, Policies and Layered Technology solutions. While security education is key here, there is clearly a big difference between putting security training out there and having that training turn into effective changes in data handling.
Maria Korolov recently wrote a post for CSO Online asking, “Does Security Awareness Training Even Work?,” citing discussions from a group of security experts who all admitted to poor personal security practices. If even the “experts” have bad security habits in even basic areas such as secure password use, how can it be expected that the average employee would improve through training?
It’s clear that security training alone is not enough to mitigate risks, but rather that training be clear, customized, specific, and relevant. The article on CSO Online puts forward these additional tips for effective security training:
- Be concise – long classes can cause people to zone out or forget the content quickly
- Think outside the box – training need not take place lecture-style. Integrating online materials, videos, simulation training and other techniques can make training more relevant and more likely to be remembered
- Make it ongoing
- Integrate testing of security awareness and/or training modules that test effectiveness. Stay on top of poor performers and ensure no employee is overlooked.
- Encourage employees to report suspicious emails or behavior
Ponemon estimates that even the most basic training in areas such as phishing—one of the leading “people” causes that open a vector for attack—can have an average improvement of 64%. The report estimated a cost savings of $188.40 per employee/user by implementing effective training. So, is training perfect? No. But training can and does make a tangible difference in the number of successful breaches caused by people. With tangible cost savings, and ultimately smarter employees, this helps sell security as a business issue and get the top-down support key to translating security training into a culture of active security prevention. As the CSO Online article also re-iterates, supporting our recent discussion, senior support is an essential ingredient in shifting corporate culture and effective data security.
Aside from effective training, and policies that support it, technology should be in place that will automatically alert IT of risk incidents, whether it be email filtering, password enforcement or alerts to irregularities in software, hardware or user behaviour, as we provide with Absolute DDS. Even the most well-prepared and well-trained organizations may still suffer from mistakes that lead to a data breach, so having steps in place to remediate compromised systems and minimize damages is also key. Learn more about how our team can assist you with your risk response and investigations here.