This article was updated on September 9, 2018.
When it comes to employee data security, your biggest risk could be your employees. SC Magazine writes that, according to an IBM cybersecurity report, 95 percent of organizational security breaches at least in some way involve employee error. The report highlights "phishing, system misconfiguration, poor patch management, the use of default user names and passwords — or using poor passwords — as well as lost laptops or mobile devices" as the major reasons for breaches.
While that number is rather appalling, what is even more concerning is that the majority of the issues listed could be side-stepped with education and communication from HR leadership.
Why Your People Are Your Biggest Risk
Today's cybercriminals are increasingly wise to human vulnerabilities within an organization. In 2015, for example, 37 percent of attacks on critical infrastructure were caused by spear phishing — an attack orchestrated via email in which a hacker masquerades as a family member, friend or business familiar to your employees, according to Tripwire reporting on an ICS-CERT report. It seems modern cybercriminals are less likely to focus on trying to crack your organization's network and more likely to attempt to gain entry where you're most vulnerable: your people.
Although most organizations have begun to implement education and training awareness programs to reduce the human error that opens organizations up to risk, simply having a training program may not be enough.
The task laid out for modern HR leaders is to work collaboratively to ensure everyone, from C-level executives to front-line customer service representatives, is doing their part in the fight against cybercrime.
Here are three best practices to appropriately arm your employees with knowledge, so you can keep your entire organization safe.
1. Start at the Top
In many cases, managerial personnel lack sufficient knowledge to act as information security authorities for their subordinates within the enterprise. The Security Standards Council recommends that, at a minimum, management should "understand security requirements enough to discuss and reinforce them, and encourage personnel to follow the requirements." Regardless of your organization's compliance requirements, a cultural shift in security responsibility should begin with your leadership.
SANs, a research and education organization, advocates for converting your managers into visible champions of enterprise-wide security efforts. Your staff's buy-in could be lower if your leaders fail to "visibly and consistently validate the security policy and procedure," as well as any other requirements that may be in a state of flux.
2. Set Clear Objectives
Ineffective security education programs might not boil down to outdated content or ineffective delivery. They may simply lack focus and measurable objectives. Security Week writes that the majority of problems with corporate security training come from a lack of goals.
These objectives should encompass each of the following:
- Regulatory compliance
- Disciplinary baselines for employee error
- Behavioral benchmarks
- Impact of training on results
In addition, HR leaders can work collaboratively with executive teams to foster and track a measurable change in behavior to ensure their training programs are leading to results.
3. Continually Reinforce Knowledge
HR leaders with a background in employee education and training are familiar with the foibles of the classroom approach. In many cases, periodic one-hour sessions can lead to poor information retention over time and a lack of measurable change in behavior. Security risks are a 24/7/365 problem, which is why it makes sense to take a continual approach to employee data security training.
For example, according to CSO Online, by implementing ongoing training efforts, including real-time simulations of phishing attacks and pop-up awareness videos, MSA, a global manufacturing organization, was able to achieve significant results. When their training began, they reported that 25 percent of employees had fallen prey to simulated phishing attacks, but after continued practice, that rate fell to just 5 to 8 percent.
HR leaders should think outside the classroom when it comes to data security training. By setting clear objectives, striving for total leadership buy-in and offering continual reinforcement of training, you can make major headway in diminishing your risk.