In 2012 an employee at South London Healthcare Trust in the U.K. lost an unencrypted USB drive containing sensitive information from several hundred patients. He had taken the memory stick out of the office to work from home. In an online post, the chief executive officer of the company said the incident occurred because the employee wasn’t adequately trained on data security and compliance policies.
The fact the information was decoded is concerning but what’s even more worrisome is that the executive knew the employee lacked training.
Workplaces are still struggling with a lack of security awareness and business information security, according to recent findings by Beazley, a breach response insurance company. After analyzing more than 1,500 data breaches that occurred in 2013 and 2014, it found that the two most common sources of data breaches were ‘unintended disclosures’ such as misdirected emails and faxes (31%) and the ‘physical loss of paper records’ (24%).
Furthermore, the 2014 Ponemon Cost of Data Breach Study showed that almost one third of data breach incidents are caused by negligent employees or contractors.
Here are 8 aspects of security awareness training that every size organization needs to know.
- The biggest driver of data security training is to improve the overall level of data security, according to Ponemon’s The State of Information Security Awareness: Trends & Developments.
- Compliance and governance regulations such as the Sarbanes-Oxley Act and the Payment Card Industry Data Security Standard, mandate security awareness training too.
- There appears to be a security skills gap, according to an article posted at eWeek. As industry and educational institutions scramble to provide more security awareness learning opportunities, “...you have to be more creative to find the skills you need,” said a security expert at Ernst & Young. Prioritize efforts and focus on technologies and processes that help identify security threats and risks.
- Regular – not one-time – training ensures that employees stay on top of data security best practices. Shred-it’s 4th Annual Security Tracker showed that in the U.S. only 46% of organizations hold regular training sessions with 15% of C-Suite executives reporting that employees are never trained. A majority of small businesses in both Canada and the U.S. say they either don’t train their employees or they do so only on an ad hock basis.
- Training must address risky work habits. Losing laptops and other mobile devices is common, according to The Human Factor in Data Protection survey; so is mishandling data, sharing and reusing passwords, and handling unencrypted sensitive data.
- Security awareness reminders in the workplace are recommended in Redspin research – for example, posters on walls and screen-saver reminders
- Target the mobile workforce with specific training. For example, use privacy screens, carry only necessary sensitive information, and always connect to the internet through a secure wireless network.
- Implement business information security policies and procedures that support security awareness in the workplace. For example, a Clean Desk Policy is recommended; also partner with a paper shredding services provider and replace recycling bins with locked storage consoles. Introduce a shred-all policy so that all information that is no longer needed is securely destroyed.
At the end of the day, the goal is to make employees a security asset. These practical security tips will help get employees to commit to information security in the workplace.