Even when companies invest in securing their data and networks, they often make one mistake.
They forget to train their users.
Sure, everyone in a company receives instructions to create a strong password, not to log-in to public WiFi while accessing confidential information, and not to click on anything suspicious in email.
Then they're turned loose to work.
That's not really training.
If you answered “no” to those questions, you're making the same mistake. Here's how you can do better.
How's this for an answer?
Research from IBM shows that roughly half of data breaches are caused by employees. A small portion of these are malicious – deliberate theft or a disgruntled employee sticking it to their boss. Mostly it's because people are clueless about information security. Forrester research shows a similar story, with 46% of data breaches from internal issues – malicious intent at 46% and accident at 42%.
We'll focus on how you can avoid those accidents from happening.
It doesn't matter how good your security plan and infrastructure is when all it takes is for one employee to click on a malware link in a phishing email and – BAM! – ransomware just got into your network (though you have a solid data backup plan, so that's not a major problem for you – read more).
Regular – ONGOING – training can help alleviate this problem. Notice I said “alleviate” as human error is something we can't do away with! Here are six steps you can take to keep those human errors to a minimum:
Training is effective. Research from Wombat Security and Aberdeen Research found that “an investment in user awareness and training effectively changes behavior and quantifiably reduces security-related risks by 45% to 70%.”
Remember that awareness isn't training – there's a gap between telling someone security is important and showing them how to, for example, spot a phishing email. So while it's important to tell everyone that you want to have a security culture, you also need to devote time to training so that everyone has the skills and knowledge to create that culture of security.
While you focus on cybersecurity, don't forget to physically secure your information. A few quick tips to keep in mind:
One last note on security, training that explains the reasons for the security steps that need to be taken is more effective than a “just do it or else” approach.
A research paper, Technology Use: Conception and Operational Definitions, showed that “mindful” teaching worked better than “directive” training. Everyone is familiar with directive training, you sit in a room and someone explains what you should and shouldn't do. In this case, how to spot phishing emails using some key characteristics of those emails.
The “mindful” teaching shared how to spot a phishing email, but also why it was important not to click on them (harmful viruses, ransomware, etc.). The people in this group didn't recognize 100% of phishing emails, but were less likely to fall victim to an email scam.
For your office, this means sharing the dangers and risks with employees of the negative effects of a security breach on the business (and, in the worst case scenario, on their jobs).
Security is a strategy supported by information technology. It also should be part of your business culture.
Train regularly and stay safe.