Your employees are an important line of defense against a data break or cyberattack that could lead to financial or reputational loss for your company. Increased investment in employee training can reduce the risk of a cyberattack by between 45 and 70 percent according to a study by Wombat Security Technologies and the Aberdeen Group published in 2015. Wombat and Aberdeen went so far as to say that employees are “perhaps the greatest evolving security threat.” See full study.
Step 1: Start at the top. A successful training program starts with support from senior leadership. Get their buy-in by clarifying the business risks and consequences to the company of a data breach. Consider these statistics as you build support.
- Forty-nine percent of data breach attacks are caused by malicious or criminal attacks and 19 percent are related to employee negligence failures, based on the 2015 Cost of Data Breach Study by the Ponemon Institute.
- In the same study, they found that $217 is the average cost per lost or stolen record and 5,655 to 96,550 records are breached.
- Eighty-four percent of employees are using personal email to send sensitive files and more than 50 percent expose company files or data by uploading to a cloud-based service such as Dropbox or YouSendIt according to this report from Ipswitch.
Step 2: Increase employee awareness. Educate employees and train them on how to handle confidential information, safe email behavior and security best practices. Especially as social engineering schemes use specific information to extract sensitive data continues to grow. If they don’t understand how criminals are working and how they can be targeted, they can’t be on the lookout for them.
- Schedule sessions to train all employees – any one of them can become a target, not just those who are customer-facing.
- Make your employees part of the solution by emphasizing their role in protecting your company’s information and asking for their ideas to mitigate risk of a breach.
Step 3: Test the security savvy of your employees. If you can’t measure it, you can’t manage it. So start with understanding the level of your employees’ current security knowledge.
- Our Vice President of IT at Park Bank administers tests and works with a security firm to emulate phishing attacks to our employees.
- Consider working with an outside security firm to emulate phishing emails and other cyberattacks to develop their ability to identify social engineering schemes.
Step 4: Follow up with employees on their test results. Constant reinforcement and affirmation of progress will encourage your employees to remain vigilant. Our Vice President of IT uses multiple communication approaches with managers and employees to follow up.
- If an employee clicks on a simulated phishing attempt, share the results with that person.
- If you administer a quiz, show them their results and compare with the average.
It takes 90 days to break a habit, and 90 days to form a new habit. A successful training program will take time, but with consistent attention, employees can be a powerful deterrent to a data breach within your company.
This is not a comprehensive guide and is for informational purposes only. Please consult your IT professional for guidance specific to your company.