Why Employee Training Might be the Most Critical Security Strategy Ever
One of the most intriguing findings from the 2014 Cyber Security Intelligence Index, wrote a blogger at securityintelligence.com, is that 95% of all security incidents involve human error.
The findings put the spotlight on both external attacks that trick employees into providing access to sensitive information and on-the-job mistakes by employees that lead to data breaches.
But they also speak to the significance of information security training, which was an important theme – and emerging challenge – identified by the 2016 Shred-it State of the Industry Report.
Drawing on the annual Shred-it Information Security Tracker by Ipsos, the report concluded that employee training is one of the most important strategies today to protect an organization’s confidential information and to keep information security a priority in the workplace.
What are the key aspects of information security training?
- Security awareness must be company-wide. Protecting confidential information must be a commitment from the top down, starting with the CEO and C-Suite. As part of a culture of security, training should provide every employee with a comprehensive understanding of the office security policy in order to enable them to always make the right decisions about protecting information.
- Knowledge and skills are both necessary. Security experts say that the best security technology such as firewalls and password protection will fail if employees do not know how to identify and avoid security risks. Training must provide both theory and practical best practices.
- Training must be on-going: On-going training is critical for keeping security policies and procedures a priority in and out of the workplace.The State of the Industry Report showed that many businesses around the world fall short. In Canada, for example, 39% of small business owners (SBO’s) never train employees, and 31% only do it on an ad-hoc basis.
- Remind employees. Communicate security awareness and educate employees in different ways. For example, hang-up reminder posters and include references in emails, memos, meetings, and even promotions. Comprehensive employee policies teach security too. A Clean Desk Policy helps keep work areas clean and tidy. A Shred-it all Policy requires that all documents are securely destroyed when they are no longer needed.
- Utilize employee ambassadors: The State of the Industry Report underlined the importance of developing an information security ambassador program so there are liaisons of information security throughout the organization. Ambassadors, who are volunteers, help educate employees, build awareness, and influence secure behaviors.
- Address the mobile workforce. The 2016 Security Tracker showed that 92% of C-Suites and 58% of SBO's have at least some employees currently using a flexible or off-site working model. But only about one-third of C-Suites and SBO's have information security policies for off-site work environments. Best practices include not leaving hardware or any confidential materials in vehicles, hotels, etc. Avoid visual hacking by protecting visible information on devices in public places. Return paper products and digital media that are no longer needed to the workplace for proper disposal. Partner with a reliable information destruction provider for disposal and destruction services.
A comprehensive document management policy is beneficial for two reasons: it systematically protects information from creation until disposal, and it teaches employees to protect information too.