The idea of data breaches, ransomware, phishing attacks, and other digital criminal activity may conjure images of hackers or organized cybergangs hell-bent on penetrating an organization’s systems. The underlying truth is not always as sinister, but it is just as disconcerting.
Alas, the biggest threat to organizations’ data is often the employees themselves—rank-and-file workers who are simply careless, uninformed, or lazy. Bad guys are out there trying to hack into organizations, and although they usually can’t get by IT security measures and controls, they may find success when employees inadvertently let them in. Consider:
- A report by Shred-It found that as many as 47 percent of data breaches are caused by employee negligence.
- Recent Kaspersky research discovered that 91 percent of public cloud data breaches were the result of social engineering tactics—basically, tricking employees into granting access (e.g., phishing attacks).
Data breaches remain a huge problem for today’s organizations—Verizon’s 2019 Data Breach Investigations Report identified 41,686 security incidents and 2,013 breaches last year. Although active cybercriminals and angry employees will always be threats, human error and poorly trained employees pose the biggest risk...and the biggest opportunity for prevention. A solution to this frightening dilemma can be found in outstanding training strategies, predictive data that identifies security awareness gaps, and proactive measures to shore up those gaps.
The Most Common Human Errors
The IT processes employees interact with every day may be complex on the back end, but that doesn’t mean they aren’t vulnerable in their practical use. Even with heightened controls and governance, a level of due diligence is necessary from users. Unfortunately, best practices are often forgotten or ignored, thus leading to these errors, which can open the front door to data compromises and security breaches:
- Public Wi-Fi: In the increasingly remote workplace, employees may log in to public, mostly insecure Wi-Fi networks and not think twice about accessing company systems, typing in passwords, or calling up sensitive data (including customer info) on the open connection. A greater risk is employees logging into what they think is a safe network but is really a fake connection set up for cybercriminals looking to steal data.
- Bad passwords: Even though password best practices have been commonly known for years, employees still use obvious, easily guessed passwords. Other common password mistakes include writing down their passwords, always staying logged in, and using the same password for multiple accounts.
- Mobile devices: Employees mistakenly believe that because they are using a smartphone or a tablet—especially if it’s their own—it is not being targeted or is inherently more secure. And of course, mobile electronics are more easily stolen or simply left behind for anyone to find and exploit.
- Email: Phishing attacks and fake emails have become much more convincing in recent years, fooling employees into clicking on bad links or giving up login credentials. Even in the absence of sophisticated attacks, a small percentage of users are still careless with their email accounts and open messages they shouldn’t.
Besides general carelessness, a running theme with these errors is a false sense of security and failure to recognize the warning signs of an attempted cyberattack. For example, fake Wi-Fi connections may ask for an email address and username to appear legitimate. Without good training, these bad assumptions can turn into IT disasters.
Training to the Rescue
Security awareness training isn’t a cure-all for these employee errors—risk can’t be entirely eliminated, and you still might get someone who aces every concept yet absentmindedly leaves their smartphone on the train—but it surely can come close. An ecosystem of learning begins with annual training initiatives and is supplemented with engaging and entertaining reinforcement anytime afterward. This ecosystem can include:
- Adaptive training: The same training for every user often leads to uneven results—some people fully grasp the concepts, but others don’t engage and learn little, and nothing occurs to bridge the knowledge gaps. Adaptive training creates a dynamic experience for employees, automatically adjusting to each user’s engagement and grasp of the concepts being presented. In this way, each employee’s journey to security awareness may differ, but the same outcome is achieved: Employees can recognize basic threats and follow through on best practices.
- Post-training resources: The strategies employed after formal training go a long way toward ensuring security awareness concepts stay fresh and become ingrained in employees’ everyday decisions. For example, gamification turns training into a challenge that inspires people to want to learn. Micro learning delivers videos and short, scenario-based questions directly into employees’ inboxes. Job aids offer digital references employees can consult to confirm they are following best practices.
- Behavioral Data: Companies can get so much more from their training efforts than, well, training. The data extracted from security awareness programs can measure engagement with the material, identify weak spots, and inform future strategy—thus bolstering employees’ collective knowledge and decreasing risk even more.
Unfortunately, security awareness training often becomes an issue only after an organization has been burned by a data breach or a ransomware attack. IT departments can only do so much to protect an organization’s systems; the employees using the technology need to do their part to maintain compliance. Great training, backed up with insightful data and complementary strategies, can be silently effective in identifying where the weaknesses are and predicting where unknown weaknesses will pop up before they become problems.. Those aren’t the kinds of victories that are easy to shout from the rooftops, but in this high-stakes digital era, it’s the ultimate goal.