May 22, 2014 by The GLS Team
Recent studies indicate that carelessness and negligent actions of individuals within an organization continue to be the main cause of information security breaches. For self-protection as well as the protection of the organization and its clients, being able to identify and avoid security threats is a priority. The importance of security awareness training has never been so critical.
What is Security Awareness?
Employees who are security aware are individuals who understand there is the possibility of people deliberately or accidentally stealing, damaging, or misusing data contained in a company's computer system and throughout the organization. The intent of security awareness is to stop such theft from happening. The first line of defense is awareness of the different kinds of risks involved and knowledge of safeguards available.
The Cost of Inaction
An IBM Security Services report indicates there were at least 1.5 million monitored cyber-attacks in 2013 in the United States. Not all data breaches are reported, and some companies do not even know they have been compromised. With data moving freely between networks, the cloud and mobile devices, the threat can only increase. It is real, and it can be very costly.
A joint 2013 study from Symantec and the Ponemon Institute indicates the average total cost to an organization of a data breach was $5,403,644. A 2013 UK study from the Department for Business, Innovation and Skills indicated that for small businesses the total cost of a security breach could range from $55,000 to $100,000, and from $700,000 to $1,300,000 for large businesses. The Symantec and Ponemon study showed that about 64% of data breaches were caused by system problems and human mistakes.
Approaches to Improved Security
Every organization must ensure its employees understand the risks in collecting, storing and transferring information and know how to stay protected. Protection requires security awareness training to develop a security-aware culture and associated behavior change within the organization. Of course, employees should learn corporate practices and policies for working with information technology.
Employees must be aware of the value of data as a corporate asset. Corporate data is private information, not to be shared freely. Personnel must also be provided with clear instructions about what to do if a security breach is discovered.
Being able to make better decisions about data protection means employees also have to:
- Be aware of the key vocabulary surrounding cyber security
- Appreciate the outcomes of recent security incidents and threats
- Understand individual responsibilities for protecting company data
- Know the security threats posed by social media
- Implement safe email practices
- Appreciate general protocols for improved safety on the Internet
- Be able to better detect the presence of malware
- Maintain up to date virus protection
- Use best practice approaches for passwords and access controls
- Be able to use appropriate methods of data storage and retention
- Be aware of typical phishing approaches and how to recognize them
- Understand requirements for safe use of mobile devices
- Understand typical approaches to identity theft and safeguards to prevent its occurrence
- Know how to maintain the physical security of equipment
- Follow the dictates of the Federal Information Security Management Act, if it is a company requirement
Additionally, this is not just a one-time training requirement. Refreshers and updates will be needed, and training repeated for new hires.
Most organizations find it is most cost effective and efficient to engage specialist training companies to provide employee information security awareness training. At Global Learning Systems we offer extensive experience in mitigating risk through security and compliance training for organizations. Cutting-edge web-based security awareness courses are available off-the-shelf, and can be customized to organizational requirements and quickly implemented. Policies and procedures can be incorporated, and refresher courses and other materials are available (including posters, newsletters, security news emails, short videos, and more).