Without Employee Security Training, Your Security Plan Won't Survive

No security system can help you if you can't “patch” your business' greatest cybersecurity vulnerability: your staff. Security Training is an ideal...

May 18, 2017 by Alex Collins, IT Services Consultant

Not even the most expensive security system can help you if you can't “patch” your business' greatest cybersecurity vulnerability: your staff.

Research paints a sobering picture: according to a study by the Identity Management Institute found that over 90 percent of cyber attacks are only possible through information stolen from employees.

“Organizations still fail to protect their most valuable assets from hackers because they focus too much on network security while ignoring the employee identity theft and access exploitation risk,” explains Henry Bagdasarian, founder of Identity Management Institute.

Disturbingly Small Fraction

Despite the urgency of the situation, a disturbingly small fraction of businesses take action to minimize a perceived lack of cybersecurity training on their employees' part. Companies may be loath to allocate the right amount of resources, believing that spending on training fails to provide a significant return on investment.

The growing cybersecurity training gap turns up again and again in numerous surveys. According to the Pew Research Center, only fifty percent of a representative sample of employees could answer a list of basic cybersecurity questions.

And less than half of companies provide any cybersecurity training (as found by an Experian/Ponemon Institute study) and more than half don't retrain employees after a data breach occurs.

Strengthen Knowledge, Fortify your Security

“Many security officers intuitively know that security education is an important line of defense against cybercrime,” explains Wombat Security Technologies' President and CEO Joe Ferrara. “They have trouble convincing senior management to spend the money necessary to execute an effective training program.”

In reality, instituting employee training brings returns out of all proportion to the cost: reducing the risk of a cybersecurity breach by up to 70 percent, according to a Wombat Security Technologies study.

Improved cybersecurity training for employees should go further than just a single basic course for employees. The data suggests that cybersecurity awareness should cover the following:

  • Required, advanced-level training for all employees and contract workers – participants must finish their training with a complete understanding of the risks that can lead to a data breach

  • Retraining on an ongoing basis, addressing new and evolving threats. Compliance degrades rapidly within weeks of the training sessions' completion, underscoring the need for regular retraining. Conversely, employees' awareness of cybersecurity risks run highest immediately after a breach; employees should undergo a briefing in such an event.

“The single most important and cost-effective action any company can do to raise its game on information security is training, but it can’t be a one-time orientation video for new hires,” explains author, IP and legal security consultant James Pooley. “To be really effective, training has to be continuous; varied, so it’s interesting; world class, which means hiring experts, and inclusive, [which means] executives have to join in.”

Carrot and Stick

But not even a training program can help a company that refuses to reinforce the new information with penalties or incentives.

“The next step after implementing a regular cybersecurity training program is to put in place policies and procedures to enforce what's learned,” explains Tom DeSot, Chief Information Officer of computer security provider Digital Defense.

The Experian/Ponemon Institute study bears this out: less than half of surveyed companies formally reprimand employees whose careless data habits cause a cybersecurity breach. And 67 percent of respondents have no incentives to encourage employees with good data habits.

Holding Everyone Accountable

“Employees aren't being held accountable for skirting proper procedures that would normally protect their company from different cyberthreats,” DeSot complains, recalling a social engineering experiment he performed on a client that yielded full access to the client's network in less than an hour. “While they did have an information security training program in place, no one was enforcing the practices being taught,” DeSot recalls.

Strengthening the cybersecurity weak link is now more important than ever. And companies can't plead lack of budget, or lack of expertise to excuse their employees' lack of cybersecurity training – third-party managed IT services like those provided by All Covered Care can step in to provide the employee training that businesses sorely need these days.

In the end, cybersecurity becomes everyone's responsibility: it's on the employees to nurture good habits that keep breaches from occurring, and it's on the upper management to foster training that makes those good habits possible.