One of the biggest risks organizations face is lack of security awareness from their own employees. According to Ponemon Institute’s 2020 Cost of Insider Threats Global Report, the cost of insider threats continues to grow. While the term “insider threats” includes credential thieves and malicious insiders, it also encompasses careless or negligent employees.
In fact, the report found that 62 percent of insider-related incidents were due to negligence or error by employees. For this reason, security awareness training is an integral part of implementing an InfoSec program. It can be challenging to consistently conduct training and track it centrally to prove you are compliant, but it does not have to be. It is possible for security leaders to train employees efficiently and cost-effectively. It starts with prioritizing a strong security posture.
Security Training Lags Behind
For many companies, particularly early-stage companies, security training hasn’t been made a priority. And this isn’t necessarily because they don’t think it’s important—it’s just that there are a lot of competing needs. Startups, for instance, are just trying to survive, trying to get to the next round of funding, and get their product out to the market. Trade-offs have to be made. If the startup isn’t a security company, then security is probably not on top of the list. The biggest determining factor on whether security training happens is simply whether it’s a priority for the CEO.
Employees’ Security Awareness Directly Impacts Compliance
Employees are both an organizations’ biggest asset and its weakest link when it comes to cybersecurity. People mean well and are not typically malicious; it’s just that they are the most unpredictable pieces to the security puzzle. Negligence, errors, moving fast, eagerness to help, or simply a lack of training can all be risks for an organization if employees are not aware of common threats or fail to follow through on secure procedures.
Phishing attacks, social engineering, poor password policies and lax access privileges are examples of issues that occur naturally “in the wild” of day-to-day employee life if they are left to their own devices. Security awareness is key to educating your employees about these threats, and how they play an important defensive role in keeping your information and assets safe.
In addition to losing valuable data, lacking a security awareness program can also cost you revenue. During the sales cycle, your clients will ask you for third party validation that you are a secure steward of their data. In order to pass a third-party security audit such as SOC 2 or ISO 27001, you will be required to prove you have an operational employee security awareness program. If you cannot, then you will fail the audit, which could delay a sales opportunity, or even lose it altogether. It is best to get in front of this problem and put something in place early on so you don’t get breached or fail these audits.
An Ongoing Plan
Failure to meet compliance requirements can have significant consequences, as mentioned above. That can range from fines from regulatory bodies and data breaches that result in information theft and more. It can also hinder the closing of deals with new customers and partners, who need to feel assured of your company’s strong security posture. Having a strong, documented training plan in place can go a long way to preventing such needless losses. It also provides a proof point to show your customers and partners that you take security seriously and that it’s part of the company culture.
The manner in which you train your employees will determine to a great extent their effectiveness and adherence to company policies. Though many practices can be common sense and their skills catered specifically to their specific job roles, a training plan can have a wide-reaching effect on making sure elements of your organization stay secure and run as smoothly as possible.
A security awareness training plan is vital, but so is its thorough implementation. Implementing and ensuring that your employees follow that plan regularly is the key to achieving and sustaining the level of security and compliance you need. As alluded to above, investing in training and security awareness programs is vital for sustainable business growth and success.
Having a clear plan is the only way to make sure that employees are aware of and clear about security practices and, if not, that they will be. It also needs to include controls – that is, clearly defined actions that will be enacted if an employee breaches your security policies after being made aware of them. Overall, you want to remove the excuse of ignorance to justify failing to uphold your organization’s security policies. If an incident occurs, you will at least have records to prove that you provided training to your employees.
Enabling Compliance and Growth
Lack of security awareness among employees brings a one-two punch. First, it makes your organization less secure against increasingly sophisticated attacks and employees’ own errors. Second, it fails to meet the compliance necessary for prospective customers to trust you. This is why security training is a must-have, not a nice-to-someday-have.
Insider-caused incidents are expensive to clean up, and two-thirds of them are unintentional. The onus rests on company leaders to make sure employees receive the security training they need—especially now that most of them work from home. Create a training plan, implement it and revisit it regularly to make changes as needed so employees always have the latest information on helping to protect the organization. This enables greater efficiency, consistent compliance, and long term business growth.
Patrick Murray is chief product officer of Tugboat Logic.