In a recent study, the Ponemon Institute surveyed 601 cyber security professionals, and discovered that 66 percent of respondents identified their company’s staff as the weakest link when it comes to IT security. Furthermore, 55 percent already experienced a security incident caused by either a malicious or negligent employee.
Inattentive staff, or employees not familiar with basic IT security best practices can create countless opportunities for hackers to compromise your company’s security.
To protect your business and address the multitude of vulnerabilities day-to-day employee activity creates, you need to provide your staff with routine, comprehensive security awareness training.
Does your business have a BYOD policy? Read: Cybersecurity: How to Reduce the Risk of Personal Devices to better protect your business from criminals who could exploit this vulnerability.
Why Organizations Need Security Awareness Training
Ignorance is not bliss
Despite the heavy investment, your business may have made into IT security technology, none of these systems are completely full-proof. And criminals and scammers are placing more focus on the elements of your business that you have less direct control over your employees.
Poorly-trained staff can unknowingly create security vulnerabilities. In fact, a study of 887 companies spread across 30 countries found that in the previous year “employee error” caused 30 percent of data breaches among the surveyed businesses.
Similarly, a 2014 study conducted by Enterprise Management Associates, Inc. (EMA) found that 58 percent of employees store confidential information on mobile devices, while 30 percent frequently leave these same devices in vehicles unattended. In addition, 35 percent of those surveyed had clicked on links contained in phishing emails, and 33 percent used the same password for work and personal devices.
Depending on the nature of your business, there is a strong possibility that you are already legally obligated to provide security awareness training to your employees. The frequency and scope of these requirements varies, so you should consult with industry experts to craft an appropriate curriculum. Common organizations that have mandatory cybersecurity training requirements are:
Bring your own security vulnerability
While bringing your own device (BYOD) policies offer the ability to lower costs and improve employee productivity, they also create a substantive security liability for your organization.
A recent survey conducted by software security firm Trustlook Inc. found that 70 percent of respondents used a personal electronic device (e.g., smartphone, tablet, laptop) to access company systems. However, only 39 percent of these businesses had a formal BYOD policy, and less than half of those surveyed had received any instructions-security-focused or otherwise-regarding the use of a personal device.
These figures are particularly frightening in light of a recent report from Kaspersky Lab which found that half of the world’s mobile devices lack adequate protection from cybercrime and malicious threats like mobile malware.
How Can You Get the Most Out of Training?
Work with your IT department to develop clear, unambiguous security policies for your business. Outline guidelines for password safety and user credentials, requiring these to be updated on a regular basis. Consider mandating that staff must use a virtual private network (VPN) to access company systems when using a public Wi-Fi hotspot.
If you have a BYOD program, establish uniform security requirements, such as mandatory security software. Define what information can and cannot be accessed using these devices.
Any training efforts should then thoroughly cover these policies, making it clear to employees the consequences to themselves and the company at large if guidelines are not followed.
Train thoroughly and regularly
Even if you’ve invested the time and effort needed for a security awareness training program, you’re probably not training enough.
According to the EMA study cited earlier, if you ignore security and IT support staff, less than half of employees have received any security awareness training from their current employer. These are the same staff that will most likely fall victim to social engineering attacks.
The study also found that for those employees that do receive training, annual courses are the most frequent despite the fact that “training provided at that interval is unlikely to be remembered by the participants.”
To encourage greater retention of policies and information, you should provide frequent refresher courses for your staff.
The Next Step
A well-educated workforce is a critical component to any comprehensive security policy. You should provide routine, ongoing training to all of your employees-even key executives-teaching them how to detect potential threats and what measures they can take personally to protect the organization.
To learn more about our security awareness courses, you can fill out the form on the right to request a demo.