People, processes and technology are the three building blocks of an effective cyber security strategy. While processes and technology can be controlled, managing or influencing people’s behaviours might be more complex, if not impossible. And here lies the problem. According to the recent Ponemon survey sponsored by Experian, 66% of professionals interviewed admit that employees are the weakest link in the company’s security strategy, and a further 55% claim that their organisation suffered a security incident or data breach due to staff misconduct, either malicious or inadvertent.
The report highlights three main problems:
1 – Cyber security policies and procedures are not shared
Lack of communication is one of the reasons staff cause data breaches: employees are not aware of cyber security policies and procedures, nor are they aware of the cyber risks their company faces. So, how are staff supposed to avoid such risks? One of the best ways to raise staff awareness about security is with e-learning courses.
2 – Staff training is not a top priority
Despite companies acknowledging the issues surrounding insider threat, they do little to find a solution such as staff training. Only 45% of professionals interviewed said that staff training is mandatory for all employees, and 60% of companies don’t require staff to retake security training courses after security incidents. Ongoing staff training is beneficial for both parties – the employee and the company – making sure they are on the same track.
3 – Basic staff training is not enough
Only 3% of the respondents stated that their company mandates customised courses for everyone alongside advanced courses for specific employees. This means that the majority of companies (43%) don’t provide staff awareness courses focused on the company’s specific security procedures and policies, and this links back to point number 1.
Need for relevant and regular staff training programs
Staff training programmes help employees understand internal cyber security policies and compliance requirements, make them aware of the risks their company faces daily and how to avoid them, and improve internal communication. IT Governance’s staff awareness e-learning courses can be rebranded to match corporate identity, and customised to incorporate company policies and procedures, information and specific instructions to maximise staff understanding of the topic. View details of the customisation options available.
Motivation is the key
The report concludes that insider risk can be mitigated with training and culture:
- Besides e-learning courses, you can share and promote cyber security best practices in enjoyable activities like role-playing games, check out the ISMS Card Game.
- Creating a culture where security best practices are shared is beneficial to the working environment. Read more about this in the book Build a Security Culture.