Last year was another one characterized by constant, confusing, and highly consequential data breaches. At this point, all organizations need to take this persistent threat seriously. Yet research by the Ponemon Institute reveals that just 35 percent of respondents who are familiar with their companies’ data protection and privacy training programs feel that executives prioritize their employees’ understanding of the causes and effects of data breaches.
This statistic should concern every organization. Although attacks on data originate from external sources, the vulnerabilities exist internally. In fact, employees themselves are most often responsible for introducing a threat into an IT infrastructure. Most executives who realize that their employees don’t know much about security also struggle with the fact that, if there is a major breach, it’s them — the CEOs and CIOs — who will lose their jobs.
Consider a Symantec report from 2016 that revealed the number of spear-phishing attacks directed at employees increased by 55 percent in 2015, ransomware attacks went up by 35 percent, and around 100 million fake technical support scams were thwarted. These types of attacks, having been specifically designed to take advantage of the knowledge gap that exists within most organizations on the subject of security, are only effective when an internal employee enables them to bypass security protocols.
Such increases are especially troubling because the dominant approach to cybersecurity is based on securing assets using advanced technologies instead of educating employees who carry the keys to the vault, so to speak. This type of risk management is both incomplete and ill-equipped to handle the sophisticated, intelligent threats of today, much less those of tomorrow.
Companywide security initiatives must place a major focus on social engineering in order to minimize the risk of user errors. In all organizations, but especially in those operating within highly vulnerable fields such as healthcare and finance, true cybersecurity is impossible without extensive user education. Employing the following strategies can help them begin to address the problem.
- Institute a culture of security. Due to the evolving nature of data threats, organizations cannot focus on a specific group of employees or a certain type of behavior in order to eliminate user errors. On the contrary, they must foster a culture in which everyone understands, respects, and keeps security top of mind.
Highlighting the consequences of a data breach is a reliable way to secure buy-in from employees at all levels. Point out that the cost of data breaches quadrupled between 2013 and 2015 and is expected to quadruple again by 2019 to an estimated $2.1 trillion. Astronomical figures like those underscore just how existential the threat of data breaches has become.
- Train, test, repeat. Relying on memos and bulletins to educate employees about the part they play in network security is ineffective because it misrepresents the scale of the threat. Moreover, training can seem impersonal if done remotely, and people will multitask while taking it.
Face-to-face training is essential so attendees can ask questions and wrap their heads around the issue, but a one-time session is not adequate. Repetition on at least a quarterly basis helps reinforce core concepts while keeping security issues top of mind. Emphasize how threats put both institutional and personal employee data at risk to help promote engagement.
The final component is to test the efficacy of that training by testing employees without their knowledge. Dummy phishing attacks sent out by the IT department can reveal individuals and teams who require further training. Currently, up to 30 percent of all phishing emails do get opened. Recurrent training and testing are the only reliable ways to reduce this alarming figure.
- Reward best practices. Even with the most educated and committed IT team in place, it can be difficult to personalize security best practices. Instead of punishing users for a breach in protocol, reward those who abide by best practices and effectively respond to both real and simulated threats with extra paid time off or whatever best motivates employees.
Gamifying the process with a practice log where points are earned can nurture a healthy sense of competition. In a survey about e-learning, 89 percent of respondents said that a point-based system would help them stay more actively engaged. Offering some sort of prize or perk creates a powerful incentive and boosts enthusiasm about security, which might otherwise seem like a dry subject.
Staff awareness is not just a component of a security strategy — it is the foundation. A brief history of cybersecurity shows that all prior tech-based tools have been incomplete or quickly became obsolete. Even when they work perfectly, a seemingly secure environment can easily be compromised by the innocent mistake of a single, uninformed user.
As threats continue to proliferate, organizations must see past the myopic notion that computers, not users, are the problem and can provide the solution. A concerted effort to boost staff awareness is not guaranteed to deflect all attacks. However, it is the best way to prevent most breaches. Organizations that rely only on external solutions will always be at risk.
[su_box title=”About Karin Ratchinsky” style=”noise” box_color=”#336588″][short_info id=’100796′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.