Security Policy Compliance: The Good News about ‘Human Error’ in the Workplace
What Chief Information Officer isn’t concerned about the fact that human error is so often to blame for workplace-related data breaches?
Industry statistics range from Ponemon's 2015 Cost of Data Breach Study that attributed 25% of the root causes of data breaches to human error to the 2014 IBM Security Services Cyber Security Intelligence Index report that indicated 'human error' was involved in more than 95% of the security incidents.
But the news about security policy compliance isn’t all bad.
In fact, the 2015 Global Megatrends in Cybersecurity report showed that 60% of U.S. respondents forecast their organization’s cybersecurity posture would improve and employee-related risks would decline over the next three years.
What factors are contributing?
New attitudes towards security
Security awareness is at an all-time high thanks to high profile security breaches in the news. Also, with so many electronic devices available now – from smart phones to ‘phablets’ to wearable devices – consumers are more familiar and accepting of security features as part of the deal.
Research has shown that employees will resist if security features make it difficult to do their jobs or slow down productivity. In a 2014 Ponemon study, employees circumvented or disabled required security settings ‘frequently’ (23% of respondents) and ‘occasionally’ (29%).
But usability is a driver in the consumer tech world and will likely continue to work hand-in-hand with security improvements to create user-'friendlier' solutions. In an online post, Tony Pepper, CEO of Egress Software Technologies, suggested that consumer awareness matched with user-friendly functionality could aid the Information Security Revolution.
Shifts in implementing security policies
When organizations create a culture of security where people are trusted, motivated and empowered, their attitudes, mindsets and behavior begin to change, said Steve Durbin from Information Security Forum. For example, many employees want to use their own devices in the workplace and implementing a BYOD policy that specifies acceptable use can have this kind of positive effect.
It's no longer just an IT issue
“If employees are used to generating encrypted messages or using two-factor authentication via mobile phones, they will likely demand this same security in a work environment.”
Now that information security has been elevated to the boardroom, there’s more input into finding solutions.
“The lesson here is the importance of balancing convenience and user experience against the business need to reduce risk,” said Pepper.
Security awareness training
Changing work habits through on-going training is important too. In the IBM report, the most prevalent form of human error involved clicking on malicious links found in phishing messages. Practical training can address this issue and others such as patch management, poor passwords, and lost mobile devices.
It’s important to embed positive information security behaviors “that will result in ‘stop and think’ behavior becoming a habit and part of the organization’s information security culture,” said Durbin.
The way an organization manages its document disposal is a perfect example. Partner with a document destruction company and replace open garbage and recycling bins with conveniently-located locked consoles. Implement a Shred-all Policy as well so all employees have to do is deposit documents that are no longer needed into locked consoles.
Keep the following helpful security tips in mind the next time you implement a new security policy or plan an employee training and simplify security in your organization with secure shredding services.