Security Awareness Training: A Best Practice for Companies to Reduce Information Security Risks
Data security breaches and information security risk management issues are in the news all the time and CISOs across the globe are working tirelessly to tighten up corporate security. The recent photos of personal debit cards on Twitter, however, shine the spotlight once again on an area of corporate security that may be overlooked in many organizations: employees. Individuals work for companies, and many individuals do not seem to understand the risks inherent in using the Internet.
In case we're thinking that this kind of carelessness in information security is unusual, or that it wouldn't happen "with the bright professionals we have in our employment," the next few lines may come as a surprise. Kroll Advisory Solutions concluded in its 2012 HIMSS Analytics Report that "human error remains the greatest threat to data security across the healthcare industry," and according to Ponemon Institute's report, The Human Factor in Data Protection, at least 78% of respondents indicated that their company had experienced a data security breach as a result of human negligence or maliciousness.
Ponemon also identified 10 risky practices in which employees routinely engage, that are directly related to information security:
- Connecting computers to the Internet through an insecure wireless network.
- Not deleting information on their computer when no longer necessary.
- Sharing passwords with others.
- Reusing the same password and username on different websites.
- Using generic USB drives not encrypted or safeguarded by other means.
- Leaving computers unattended when outside the workplace.
- Losing a USB drive possibly containing confidential data and not immediately notifying their organization.
- Working on a laptop when traveling and not using a privacy screen.
- Carrying unnecessary sensitive information on a laptop when traveling.
- Using personally owned mobile devices that connect to their organization's network.
So, what should we be doing about human error in order to better-protect our organizations against data security breaches?
Knowing what we do about our employees' common behaviors, a few basic safeguards really shouldn't be overlooked - like encrypting laptop hard drives, restricting the devices that are able to access the corporate network, and instituting a mandatory routine for changing passwords. These safeguards may sound pretty basic, but one-third of Ponemon's respondents claim that their organization's sensitive data isn't protected by encryption or other data protection technologies, so there is definitely room to make fairly simple information security improvements.
In addition to the safeguards protecting corporate data, taking the time to conduct security awareness training to educate employees on acceptable and unacceptable behavior, and focusing on the risky behaviors already identified as prolific in our organizations, is the next-most-effective way of reducing the risk of a data security breach.