This challenge is fully evident in relation to data breach. As discussed in my previous blog post, human error accounts for 33% of data breaches in the U.S., costing businesses hundreds of millions of dollars annually. A strong security posture, including employee education, is the single biggest deterrence against the skyrocketing costs of data breach.
So where do we start? Just like any other compliance initiative, you must have a combination of policy, procedure, training and reporting mechanisms to educate your employees on the ways to behave, not behave, and what to do if they think a problem exists. In addition, these standards must be backed up by appropriate IT controls.
Here is a list of starting points for employee training and policy development:
- Password Controls: It seems so simple, but today, you could probably still walk around your office and find passwords taped to walls or computers. Train staff on how to properly store passwords, especially mobile employees who travel with their computers. Develop a policy that you enforce – Lack of enforcement leads to breach.
- Phishing/Spearphising Attacks: You must train your employees on the types of attacks they can and will face daily. Spearphishing is incredibly effective and prevalent. If you don’t know what it is, your employees probably don’t either. There are plenty of online resources to explain this type of attack and examples you can share with staff.
- Reporting System: Very often, staff don’t want to report potential data breach incidents because they feel they may put their jobs at risk (which may well be the case). If you don’t have an anonymous reporting system in place, you may consider a tool that would allow for a confidential incident reporting around data security and breach issues.
- Incident Response Program: Many organizations have an incident response program in place for data breach, but have done a poor job educating the entire workforce on it. It’s no different than training on disaster preparedness: train everyone and train often.
There are many more areas that require focus, but if you lack any of the above four, start here and build the discipline around your employees. Once you put that in place, you can add additional areas of training and education.