Part 2 – Creating a “Human Firewall”

Without the challenge of controlling human behavior, compliance wouldn’t exist; and it’s the greatest difficulty we face daily. How do we make certain that our people not only have access to the right information but also make the right decisions based on that information?

 

This challenge is fully evident in relation to data breach. As discussed in my previous blog post, human error accounts for 33% of data breaches in the U.S., costing businesses hundreds of millions of dollars annually. A strong security posture, including employee education, is the single biggest deterrence against the skyrocketing costs of data breach.

 

So where do we start? Just like any other compliance initiative, you must have a combination of policy, procedure, training and reporting mechanisms to educate your employees on the ways to behave, not behave, and what to do if they think a problem exists. In addition, these standards must be backed up by appropriate IT controls.

 

Here is a list of starting points for employee training and policy development:

  • Password Controls: It seems so simple, but today, you could probably still walk around your office and find passwords taped to walls or computers. Train staff on how to properly store passwords, especially mobile employees who travel with their computers. Develop a policy that you enforce – Lack of enforcement leads to breach.
  • Phishing/Spearphising Attacks: You must train your employees on the types of attacks they can and will face daily. Spearphishing is incredibly effective and prevalent. If you don’t know what it is, your employees probably don’t either. There are plenty of online resources to explain this type of attack and examples you can share with staff.
  • Reporting System: Very often, staff don’t want to report potential data breach incidents because they feel they may put their jobs at risk (which may well be the case). If you don’t have an anonymous reporting system in place, you may consider a tool that would allow for a confidential incident reporting around data security and breach issues.
  • Incident Response Program: Many organizations have an incident response program in place for data breach, but have done a poor job educating the entire workforce on it. It’s no different than training on disaster preparedness: train everyone and train often.

There are many more areas that require focus, but if you lack any of the above four, start here and build the discipline around your employees. Once you put that in place, you can add additional areas of training and education.

Toby Graham

Toby manages the marketing communications team here at Compli. She's on a quest to help people tell clear, fun stories that their audience can relate to. She's a HUGE sugar junkie...and usually starts wandering the halls looking for cookies around 3pm daily.

→ Toby Graham

Related Posts




Phone: 866.356.1735
Support: 877.522.4276
Menu
Customer Login

Send this to friend