Okay, we admit it. We may have a slight obsession with keeping up on the latest security reports (specifically regarding security awareness). But there’s good reason. Tucked between the data and the charts are patterns of behavior. Identifying these patterns can help us improve our security posture.
The 2015 Information Security Breaches Survey commissioned by the U.K. government is no different, and it provides a compelling snapshot of security threats facing businesses in the U.K. It also makes us wonder if businesses truly understand what security awareness training is all about or if many are still just “checking the box.”
The report opens like so many other security reports. We learn that a growing number of companies are coming face-to-face with security incidents. Actually, based on the numbers, it seems almost inevitable that corporations will face a breach, with 90% of large organizations reporting a security breach last year, up from 81% the year before; and 75% of smaller organizations admitting the same, up from 60% the year before.
What or who is responsible for those breaches? Well, 50% of organizations attributed their single worst breach of the year to inadvertent human error. Looking at overall breaches for the year, 81% of larger organizations stated there was an element of staff involvement; this was an increase of nearly 40%! Once again, it’s employees doing the wrong things that often cause the most havoc on the business.
The message is simple: if businesses want to keep their organizations safe, they need to do a better job educating employees on how to identify risk and react appropriately.
But here’s where things get particularly interesting!
If you look at the report, it tells us businesses ARE investing in security training. Ongoing security training at large businesses is reported to have increased from 58% to 72%, and from 48% to 63% for smaller businesses. Training has increased, so why aren’t the numbers around breaches going down?
Because it’s not just about providing security training, it’s about providing educational experience that changes behavior.
The report showed that the attitudes around building a security-aware culture still need improvement. Too often, businesses are practicing “check-the-box” security training, and doing a poor job reinforcing the importance of security within the organization. The training is not motivating people to make even small changes or to adopt new security-aware behaviors. We have seen this before. Most likely, these companies are throwing generic training, which is usually quite boring, up against the user population and hoping that it works. The sad fact is that truly effective security awareness training doesn’t usually cost any most that in-effective training. The knowledge gap is evident in a number of the data points shared in the report.
We heard things like:
- A “lack of priority” from senior management was a contributing factor in their single worst breach, an increase of 21% from last year;
- 72% of companies where the security policy was “poorly understood” had staff-related breaches (we create the policies; we’re just not making sure people understand them);
- 33% of large organizations say that responsibility for ensuring data protection is not clearly assigned; and
- Nearly one third of organizations have not conducted any form of security risk assessment (if you haven’t assessed your risks, how do you know what training users need?)
Here lies the problem. It shows a lack of engagement and a sense of complacency around security awareness training.
Businesses say they understand the importance of security—they’re buying insurance policies and they’re investing in new technology, according to the report. But those alone will not protect the organization. The best insurance policy you can achieve is an educated workforce—one that understands the risks present and knows how to successfully identify them and take the correct action.
Improve your security landscape (and save money by not suffering a breach) by doing the right things to create and maintain a security-aware culture. These include:
- Make security, and security awareness, a priority within your organization, from the top down.
- Put together strong security policies, and make sure the staff understands them and their role in data security.
- Perform a risk assessment, one that not only looks at outside vulnerabilities, but one that also assesses employees weak points.
- Build security awareness training around these risks and tailor it the specific roles and functions being performed.
That is how businesses will start lowering data breach numbers. Policies, technology and insurance are great, but they’re not enough on their own. Without proper security awareness education and communications, your users will not be prepared to respond to these constantly evolving risks. You must built a security awareness program tailored to the needs and risks of the organization. A program that prioritizes good training and reinforcement to attain a well-educated workforce.
Photo: Really Bored Kenzo