Information Security Plan: Employee Training Makes a Huge Impact on Reducing Risks
Employee training is a fundamental component of every information security plan, and it can have an effect on the bottom line.
Last year, Wombat research showed that changing employee behavior can reduce the risk of a security breach by 45% to 70%.
“The smarter the organization, the less you have to spend on security because it’s embedded within people that know the value of the data and where their vulnerabilities are,” said Jeff Reich, chief security officer, Barricade, in an online interview.
The Weakest Link
“Most data breaches that we hear about occur due to the bad guys being able to take advantage of employees who don't know policy, aren't security aware enough to think ‘oh this is a moment when I should be following policy,’ aren't clued in enough to report suspicious activity, or don't understand why they should care about their company's security well-being,” said Ashley Schwartau of The Security Awareness Company in a digitalguardian.com story.
Employees have to be trained in how to safeguard devices and confidential information. If they’re not, security will be impacted regardless of the amount of investment in IT protection.
According to an fcw.com story, CEB research showed that employee error contributed to almost half of all security incidents – while malware contributed to 20% and hacking represented just 11%.
Examples of employee mistakes include emailing unencrypted data, having unencrypted data on mobile phones, taking sensitive data home, and leaving confidential information behind in meeting rooms or in full sight on desks.
There’s also the issue of technology cross-over. A broadening footprint (portable devices, bring-your-own-device/BYOD, the Internet of Things, etc.) means electronic devices and online activities are part of day-to-day life at work and home – and basic security practices should cross over as well. For example, don't give out sensitive data over the phone, use secure networks if transmitting confidential information, and change passwords frequently. A Deloitte report released a few years ago showed that 90% of user passwords are vulnerable to hackers.
Phishing is used frequently by cyber criminals. Recent research from Wombat Security Technologies and the Ponemon Institute showed that the average annual cost to contain a credential compromise originating from a successful phishing attack was $381,920. The total cost of business disruption due to phishing was about $66.9 million. Ponemon found that the phishing email click rate improved an average of 64% following security training.
Hard Drive Security
Storing old hard drives and flash drives also increases the risk of data breaches. As long as drives are physically intact (and even if they’ve been erased, reformatted, wiped or degaussed), private information can be retrieved. Partner with an information destruction company for secure hard drive destruction. The company should document the manufacturer serial number of each device before destroying hard drives, and it should provide a Certificate of Destruction for your records.
Fight fraud – and further reduce information security costs – by targeting your office’s most vulnerable areas.