Employee Education: An Important Cyber-Security Antidote

DEC 17, 2018

“Employees are a company’s greatest asset – they’re your competitive advantage.” Anne M. Mulcahy

According to Verizon’s 2018 Data Breach Investigations Report, which analyzes security incidents, again reported that humans continue to be a weak link that led to many of the compromises.  That means your employees represent a significant risk when you consider ‘phishing” will get hackers inside corporate gates 90 percent of the time, according to Verizon.

Despite this negative news, we believe that with a comprehensive security awareness effort, your employees can be your greatest asset towards keeping your company secure.  To get you thinking in the right direction, here are three things that can help:

  1. Make data security part of the corporate culture: In a new survey on cybersecurity culture, 90% of the nearly 5,000 technology professionals who participated identified a gap in their existing culture and the cybersecurity culture they would like to have, according to ISACA and CMMI Institute. It means your management team must be 100% on board and supportive of any security awareness program.  Your team’s awareness goals and messages must also be communicated clearly and often.  Your team must embrace a clear set of security policies and have an assessment and measurement plan in place.
  2. Make employees feel like assets to security – not liabilities: Now this might be tough, especially given what we read in the Verizon Report and Ponemon Study.  But make no mistake, attitudes shape actions.  So, bolster your team with positive reinforcement, clear security awareness objectives, and frequent communication.  Appropriate awareness training – that engages and educates employees on the value of security – can go a long way in reinforcing to your employees the impact they will have to help mitigate risks.
  3. Make sure employees know your security policies – even the grey area: Clearly there are obvious levels of security breaches (passing along company info, sharing databases) but trust us when we say that in our experience, there’s a greater need to pay attention to the “grey” areas. These include sharing contact lists with friends at other companies, “backing-up” sensitive data to home systems or unauthorized storage devices, and copying intellectual property to USB thumb drives to transport them to a remote development site.  These types of no-no’s, while your employees may not think twice, can absolutely lead to costly breaches.  We’ve seen a darker side too, as these employees begin pushing the boundaries there may be increased temptation to profit from these violations.

Of course, this is just scratching the surface.  Studies today reveal that while they may not have malicious intent, the negligent actions of employees caused 64 percent of all insider threat incidents in the past 12 months (Ponemon Institute). Our experience tells us that companies worldwide realize that security awareness training must be a part of an overall information security plan, especially for those that must comply with regulations such as PCI, NIST, ISO, HIPAA and GDPR.

The security experts at Trace3 understand the challenges and risks and can help guide your business to designing and implementing a comprehensive Security Program.  Our vision is to assist organizations in developing a comprehensive security program, roadmap, and controls to provide the best return on security investments with both tactical and strategic planning.  Tactical planning focuses on relatively low-cost improvements providing quick wins to immediate risks and strategic planning helps organizations improve their long-term security posture and achieve security goals more effectively.

Trace3 aims to leverage security best practices and widely adopted cyber security frameworks such as NIST, ISO, and CIS/SANS 20, etc. By following a risk-based approach, organizations can better identify security risks, measure progress and maturity, and help communicate security objectives and goals by using standard language and common terms.  Learn more about the Trace3 Security Services portfolio here and how Trace3 can help with your Security initiatives.

Leave a Reply

Your email address will not be published. Required fields are marked *