creative soul - Fotolia
Believe it or not, most studies show that employee human error is by far the leading cause of malware infestations, data breaches and other security incidents within the enterprise. While these are referred to as insider threats in the IT security world, that name is somewhat misleading. After all, we're talking about your employees. Most of the time, no malicious intent is actually behind an insider threat incident. Instead, the threat is simply an employee's lack of understanding regarding how to operate safely within the corporate network. To address the problem, offering employees security awareness training on data security threats and how to avoid them will go a long way toward better securing your IT infrastructure.
If your IT security department is spending thousands or millions of dollars on the latest high-tech firewalls, malware prevention software and data loss mechanisms but doesn't properly train employees on security threats, you're probably throwing your money away.
In most businesses, trusted employees are granted a great deal of privileged access to sensitive information. Despite all of the expensive security tools you may have implemented to protect data from being harmed or escaping, it remains easy for poorly informed employees to inadvertently bypass security tools without being aware they're doing something wrong.
The key to proper security awareness training is to provide education early and often. Many companies require new hires to go through some form of security awareness training during their new employee orientation process. While this is a good first step, it doesn't go far enough. For starters, new employees are likely to be overwhelmed with all the new people and processes thrown at them. The likelihood a new employee will retain even a portion of what was presented with security awareness training is low. One best practice is to schedule a mandatory refresher course within 30 days of an employee's hiring date to better solidify the initial training program.
The other misstep that companies take when instituting security awareness training is that they fail to provide regular and mandatory refresher courses that cover new security procedures, standards and threats. Mass emails or mentions on the corporate intranet don't cut it. Despite the time, effort and cost required to provide continuous retraining on data security threats, the return on this security investment can be enormous.
Dig Deeper on Risk management
Related Q&A from Andrew Froehlich
The zero-trust security model demands infosec leaders take a holistic approach to IT infrastructure security. Learn about the top six business ... Continue Reading
Zero trust and the principle of least privilege may appear to solve the same issue, but they have their differences. Read up on the two methodologies. Continue Reading
Security administrators don't have to choose between zero-trust and defense-in-depth cybersecurity methodologies. Learn how the two frameworks ... Continue Reading