When it comes to devising a cybersecurity strategy, organizations need to put more emphasis on the human element. Fifty-two percent of businesses surveyed in a study by Kaspersky Labs said employees are their greatest security weakness. Other studies report that human error is responsible for anywhere from 60 percent to 90 percent of data breaches.
Most of the time, this isn’t the result of malicious behavior but is due to ignorance and/or a lack of diligence. (Of course, there will always be malicious actors, but that’s a whole different situation.) Yet unintentional mistakes still yield significant consequences. IBM and Ponemon’s Cost of a Data Breach study found that breaches cost UK enterprises an average of $3.88 million each. What’s more, 33 percent of UK organizations say they lost customers after a data breach. A Forrester study of companies in the UK and U.S. found 38 percent had lost business due to security issues.
Organizations need to embed security training into their regular operations and create a culture of continuous training.
The employee threat
While the numbers vary from survey to survey, the overarching consensus is that human error accounts for far too many cyber incidents. And a recent Ponemon Institute report found that the number of insider-caused cybersecurity incidents has increased by 47 percent since 2018. The problem is getting worse, not better.
Employees commit every possible kind of security error. The ones they commit most often include clicking on links sent via email, opening unknown attachments and entering personal or confidential information into what seems like a friendly and familiar website where the user has an account. These errors are driven by social engineering – the technique by which hackers take advantage of typical human behavior.
The added risk of remote work
The global work-from-home mandate has done cybersecurity no favors. In a study by Barracuda Networks, 46 percent of respondents had experienced at least one security incident since lockdown restrictions were in place; 51 percent saw an increase in email phishing attacks.
Several elements are converging right now to complicate the security landscape. Many organizations rushed into a work-from-home strategy, which means some security measures may have been given less attention or were overlooked entirely. The other key factor again comes down to human behavior. Research from Tessian revealed 52 percent of employees feel like they can get away with riskier behavior when working from home, including sharing confidential files via email instead of more trusted methods. They’re often using their own devices and networks, which adds further complication.
The responsibility of training
Ignorance is not a fault; failure to equip employees is. The fact is that most companies aren’t putting enough money into training when they make technology investments. Organizations routinely spend as much as 85 percent of their IT budget on technology and only 5 percent on education and training for that technology. When you think about that, it’s a wonder that more human errors don’t occur.
Organizations are implementing tools such as multi-factor authentication and advanced firewalls – but tools alone aren’t enough to guarantee optimal cybersecurity. Security training that simply but effectively highlights the importance of employee actions will create greater awareness and ensure your organization can enjoy the flexibility of a modern digital workplace while remaining secure.
Cybersecurity hygiene must become a central feature of this training. Cyber hygiene is a collective term for the practices and steps that users of computers and other devices take to maintain system health and improve online security. Breaches aren’t the only thing good cybersecurity hygiene can address – it can also help with preventing data loss, misplaced data and more.
A best practice is to develop a policy for cybersecurity hygiene that includes a specific training and education component – these aren’t things that can be taken for granted that employees know. Security is now part of everyone’s job, and training must be baked in to make that fact explicit.
Make training continuous
The right tools can enable you to ramp up communication and disseminate critical security updates (regulations, software updates and so on) and information to all segments of the organization and make it available to employees at all times. You also can provide training that’s specific to an employee’s job role, location or specialization.
Training and education must change because cybersecurity threats constantly change. Training isn’t a one-and-done, point-in-time need or merely an onboarding activity. It must be embedded into the daily and weekly operations of your organization. The best way to accomplish this is by making the training easily accessible to employees, whenever and wherever they are.
There’s a wide array of learning technologies aimed at helping make this possible without becoming an additional burden. With educational modules located in a central repository, it becomes easier to train your employees on the risks, tools and procedures that surround cybersecurity. This empowers them to be on the front line for prevention of cyberattacks and data breaches.
Education is security
In today’s advanced threat landscape, made more complex by the sudden shift to remote work, training has become a crucial component of any organization’s cybersecurity strategy. Statistics show that employees are behind a majority of data breaches, but poor or no training lies behind those numbers. Employers have the opportunity to greatly improve their security posture by providing employees with training on new technologies and on basic cyber hygiene. Using today’s learning delivery tools, they can create a culture of continuous learning that benefits the company and its customers.
Flemming Goldbach, vice president of product, LMS365