Did you know that 76 per cent less money is spent on security when employees are trained on security protocols and awareness, such as recognising potential threats like phishing scams? With the average breach costing an organisation $7.6 million (£5m), that’s a substantial cost saving.
Brute force cybersecurity attacks have long been an issue of concern; however, recent and costly breaches due to mishaps by employees are occurring at an alarming rate. Seventy per cent of breaches are attributed to credentialed insiders. Perhaps not coincidentally, we’re seeing and hearing from many organisations that employee security training is being neglected. In some cases, like with contractors and outside agencies who need access to internal systems, security training isn’t being done at all.
Typically, when an employee is hired by an organisation they must go through some sort of onboarding program driven by HR. This process includes mandatory compliance training on a variety of subjects: harassment, discrimination, protection of company assets, the company code of conduct, and safety training (related to illness, injuries, and exposure to hazardous substances). However, how often have you personally encountered training on security processes and protocols as part of that onboarding? Probably not very often.
Only 57 per cent of chief human resource officers (CHROs) report they have rolled out employee training that addresses cybersecurity, according to a study from IBM Security.
That is an alarming statistic to hear when we know how often employees are playing a part in security breaches, even unintentionally.
Think about how much employee actions expose risks
- 70 per cent of IT breaches can be attributed employee actions
- 90 per cent of all malware requires human interaction before it can infect its target
- 63 per cent of employees admit to using a work computer for personal use every day, and 78 per cent of employees access personal email from business computers - increasing the likelihood of falling victim to malware or phishing schemes
Data like this proves that it’s now everyone’s job in an organisation to prevent data breaches, from individual employees to the CEO. IT can not and should not shoulder the responsibility of security compliance alone. That responsibility must extend across an organisation to all employees.
Security must begin with HR
Sometimes those of us who work in IT tend to put all our faith in technology, insisting that the right technology can do the job every time. That’s not necessarily wrong; good technology, in this case security technologies, can go a long way in protecting our data and systems. However, what happens if we combine that great technology with human interaction? Think back to the stat shared earlier in this article – 76 per cent less money is spent on security when employees are trained on security protocols and awareness. When the employees we’re securing with technology understand more about the risks we’re trying to minimise and the technology they’re using, that technology becomes even more effective.
Human Resources is a department that could play an important role in risk mitigation, but traditionally hasn’t. While IT touches every employee indirectly through management of employee directory systems, like Active Directory, HR is the one group that physically or verbally interacts with every single employee through the onboarding process.
IT should begin working with HR to prevent cyberattacks
When a new employee joins an organisation, security could be one of the first things they learn about if it was included as part of their onboarding training. They could be instructed on how to use the security tools you have in place, as well as how to recognise potential threats they may face. Another key component of this training is sharing corporate policies that have been created for things like document and access sharing. It’s important for employees to understand what they can and can’t do – and just as important for them to understand the rationale behind why they can’t do certain things. If cloud document sharing sites are not allowed, employees need to understand how these sites put the organisation at risk and what alternatives are available to them.
This type of training could be done by IT, or it could simply be created by IT and delivered via an online module or video. HR can help you identify the method that’s a best fit for your organisation. Partner to let them control the delivery, while you control the content.
Another area where HR could help with cyber risk mitigation is employee communications. IT-focused internal communications tend to be sent only when there’s a problem, like a systems outage. Have you thought about working with your company’s internal communications group within HR to notify and educate employees about new cyberattack methods?
HR can also help with delegating security responsibilities. Some security tools, such as identity management software, allow for decentralised responsibility. Rather than IT completely controlling and managing the access for all employees, some of those responsibilities can be delegated to department or business unit managers. HR can assist IT with determining and arranging that delegation. Maybe an employee needs to reach a certain level or complete a certain amount of security training to be granted that responsibility. Those types of decisions are where HR can bring valuable experience.
Preventing security risk should not be a burden shouldered by IT alone. Establish a security partnership with your HR team. Share the data with them, so they understand how important of a role they could have in cyberattack prevention – serving as a valuable and powerful ally in combating the security risks facing your organisation.
James Litton, Founder and Chief Executive Officer at Identity Automation