Even the most up-to-date firewall and virus protection will not protect you against the biggest threat to your organization’s cyber security – your employees themselves.
Despite this only 45% of companies train their workers in how to prevent breaches, according to a new report released by the Ponemon Institute, even though 55% of organizations surveyed said they believe they had had a security breach caused by a malicious or negligent employee. And, 66% of respondents said employees are the weakest link in their efforts to create a strong security environment.
The report says also even when there is training, there are “critical areas that are often ignored.” According to the report:
- 49% said training included phishing and social engineering attacks.
- 36% said training included mobile device security
- 29% said the course included how to use cloud services securely.
- 67% said their organizations do not provide incentives to employees for being proactive in protecting sensitive information or reporting potential cyber threats.
With the obvious disconnect between employee training and the very real constant threat to any organization with a database, many companies are not doing enough on the personnel side to reduce the threat of cyber attacks, like hacking, malware and other malicious code.
Experian Data Breach Resolution, which sponsored the “Managing Insider Risk through Training & Culture” report, had the following recommendations of what employee training should cover to protect a business from cyber attack.
Basic courses should typically cover these topics:
- Protecting paper documents
- Securing protected data
- Password security
- Privacy laws and regulations
- Data classification
- Safe e-mail practices
Advanced courses should typically cover these topics:
- Phishing and social engineering,
- Responding to a data loss or theft
- Mobile device security
- E-mail hygiene.
Gamify training to make learning about potential security and privacy threats fun. Interactive games that illustrate threats for employees can make the educational experience enjoyable and the content easier to retain. There are new training technologies that simulate real phishing e-mails and provide simple ways to report potentially fraudulent messages.
Experian also recommends that employers provide incentives to employees for being proactive in protecting sensitive information or reporting potential issues. This could include a cash reward or gift card at a local coffee shop.
Another approach to changing behavior is to have clear consequences for negligent behavior, such as inclusion in the next performance review or a mandatory one-on-one meeting with a superior.
In addition to training, you should send regular messages to employees about security and privacy practices.
If you have had a data breach, you should require your staff to retake cyber security training. A breach provides the opportunity for you to train your staff about the importance of carefully handling sensitive and confidential information.
The stuff of cyber nightmares
Negligent and malicious behaviors that keep security professionals up at night:
- Unleashing malware from an insecure website or mobile device (70%)
- Violating access rights (60%)
- Using unapproved mobile devices in the workplace (55%)
- Using unapproved cloud or mobile apps in the workplace (54%)
- Accessing company applications from an insecure public network (49%)
- Succumbing to targeted phishing attacks (47%).
While you may have strong firewalls and a solid employee training program, if you do incur a breach, the fallout can cost you. A cyber liability insurance policy can pay for recovery costs, the cost of litigation and fines and notification costs you may incur.
Call us to see if a cyber liability insurance policy is right for your organization. The chances are extremely high that at some point, your systems will be breached.