A recent study by a well-known information security company captures one of the most common information security fallacies: that information security is a technology problem. Most businesses view mitigating information security risks as falling squarely in the purview of their information technology department. However, this study reports that human error actually accounted for nearly two-thirds of security compromises, far exceeding causes like insecure websites and hacking.1 While technological measures (such as anti-virus software, access controls, firewalls, and intrusion detection systems) are clearly important, their effectiveness pales in comparison to the benefits gained by effective security awareness training.
Just as troubling, another recent study found a 789 percent increase in email phishing attacks containing malicious code, including ransomware, in the first quarter of 2016 over the final quarter of 2015.2 Phishing, which is an attempt to obtain confidential information or access by fraudulently posing as a legitimate company seeking information via email, instant message, or other electronic communication, specifically preys on employees who have not been trained to recognize the scam. A successful phishing expedition can result in the loss of confidential and financial information, system disruption, and consumer litigation exposure. Every industry is impacted and at risk.
The results of these studies should serve as a clarion call to businesses. While we have long known that the human component is the key to improved security,3 it is also one of the most neglected areas in many businesses’ information security programs. Security awareness training for employees is one of the most important and effective means of reducing the potential for costly errors in handling sensitive information and protecting company information systems. Regardless of how much money and effort a business spends on its technological security measures, it cannot achieve an adequate level of security without addressing the human component.
Awareness training can ensure employees have a solid understanding of employer security practices and policies, as well as the tell-tale signs of an attempt to gain improper access to computer systems and confidential information. In contrast, uninformed employees are susceptible to mistakes, malware, phishing attacks, and other forms of social engineering. They can do substantial harm to a company’s systems and place its data at risk. The recent spate of ransomware attacks highlight just how critical the human element really is, as almost every one of those attacks resulted from human error.
First and foremost, it is critical that training programs have the participation of, and include input from, all relevant stakeholders at the company, including human resources, IT, information security, legal, and compliance.
Key aspects of any successful training program should also include the following:
- Training that is provided on an ongoing basis; avoid limiting training to when an employee is first hired or assigned to a new role in the organization
- Training that is creative, not just in a non-interactive classroom setting
- Looking for the means to introduce interactivity into the training process
- Having a means of measuring progress
To be truly effective, a security awareness program must provide “multiple methods of communicating awareness and educating employees as well (for example, posters, letters, memos, web-based training, meetings, and promotions).”1
Training can be conducted through a number of means:
- Classroom sessions
- Security posters and other materials in common areas
- Brown bag lunches
- Helpful hints distributed to employees via email or corporate intranet posts
- Simulated phishing attacks (for example, systems that will periodically send phishing e-mail to employees attempting to lure them into clicking on an attachment or a hyperlink, and then alerting the employee that they have engaged in an insecure activity)
Additionally, having comprehensive and understandable employee policies is critical to a company’s information security safeguards. Readable and effective policies can be used in conjunction with effective employee training to reduce data security incidents caused by human error.
Finally, one of the most effective ways to increase employee security awareness is to help employees understand that good security practices can also benefit them personally. Being security-aware not only serves to protect their employer’s systems, but also helps in better securing the employee’s own personal data and computers. For example, by being more vigilant in identifying potential phishing attacks at work, the employee will become more vigilant in using home email accounts and, thereby, protect their own data, photographs, financial accounts, and so forth.
To assist businesses in effective security awareness training, we have developed this Employee Information Security Checklist, which highlights key areas for employees to better protect not only their employer’s systems and data, but also their own personal systems and data.
3 See, e.g., Common Sense Guide to Mitigating Insider Threats, 4th Edition http://www.sei.cmu.edu/reports/12tr012.pdf.