There have been too many instances in 2016 of human error causing company data to be compromised, from the Snapchat breach, where an attacker posed as one of the company’s chief executives to trick an employee into releasing employee financial data, to the Seagate incident where a senior HR executive became the victim of a sophisticated phishing scheme, resulting in employee tax information being exposed.
According to a recent study from CompTIA, the trade association for the IT industry, human error is the root cause of 52 percent of security breaches. Everything from an end user’s failure to follow policies and procedures to their lack of technical skills and experience, can cause company information to be comprised. On top of that, according to the latest Verizon Data Breach Investigations Report, attacks targeting “human assets” and user devices have been steadily rising over the last 6 years, while attacks targeting servers, terminals, and networks, have been decreasing.
The battle is not lost though, and it just so happens that October is National Cybersecurity Awareness Month; a collaborative effort between the U.S. Department of Homeland Security (DHS) and the National Cyber Security Alliance (NCSA). As the name implies, this is a national campaign to raise cybersecurity awareness and make sure our online lives are secure. This is the perfect time for companies across the country to make it a priority to improve the cybersecurity culture of your organization through a combination of training and technology solutions.
Here are five strategies to help your organization strengthen its cybersecurity posture:
- Introduce training during the onboarding process and again once a quarter. Employees should receive basic security training starting on their first day on the job. They should then be scheduled for refresher training touchpoints throughout the year. These touchpoints should be provided to everyone within the organization from interns to mid-level managers and senior executives. The issues addressed during these training refreshers should be relevant to each employee’s job function and position within the organization, and can take the form of email reminders, informational posters, in-person discussions, etc.
- Employ outside resources including games and online courses. There are an assortment of educational programs available to companies who are looking to enhance their employee’s security expertise, from online courses to seminars and events at local universities. There are also risk simulation games such as PwC’s Game of Threats, Apozy’s Security Checkups, and Logical Operations’ CyberSAFE Readiness Test, among others. Another option is to find a local computer science professor or professional to come to your organization to host a workshop for employees.
- Test, test and test again to ensure the message is sinking in. There are multiple ways to test whether your cybersecurity training programs are effective. One of the easiest ways to go about this is to plan a simulated attack on employees. There are commercial and open source solutions, such as PhishMe and Gophish, respectively, that provide you the ability to immerse employees in simulated real-life phishing scenarios to see how they react. These types of simulations are real eye-opening for companies and for targeted end users, and serve as great springboards for security awareness campaigns.
- Reward employees for safe and secure online practices. Rewarding employees for keeping company information secure is one of many ways to establish a culture of security within an organization. In addition to sending the message that security is a top priority for the organization, employees will make more of an effort to investigate matters that could result in a breach or compromise if they know they will be publicly acknowledged for their efforts. These announcements can be made during a company-wide meeting or in an internal newsletter. Another way of enlisting the help of your employees is to elect security champions for each department or subteam. That way, you get more resources helping you promote policies and procedures and security best practices.
- Don’t rely on employees alone; use technology tools to provide your organization’s safety net. It is never a safe bet to rely solely on employees to keep company information secure. With cybercriminals’ tactics becoming increasingly sophisticated, it is important to minimize the opportunities for human error to take place by leveraging technology solutions. One of the basic tools to consider investing in is an identity and access management solution, which allows companies to automate core identity compliance controls, measure and monitor risks associated with both users and resources, and automate access control policies, among a range of other security features.
Every organization—from large and small businesses to academic institutions and government agencies—can become the target (and victim) of cybercrime. Workforce education and training combined with basic technical controls, is an effective way to help prevent human error and manage the risks to your organization.