Many businesses and enterprises focus on protecting their networks and data from external IT security threats, with little focus on internal threats, opting to ‘trust’ the internal users. However, your employees can be more dangerous to your data, and cause the most data breaches.
The recently released “Understand the State of Data Security and Privacy” report found that 36% of data breaches were caused by inadvertent misuse of data and 35% were caused by malicious internal users. Last year, those figures were 27% and 12% respectively.
I usually take all of these figures here with a pinch of salt, but I do know from experience that enterprises take a lax attitude when it comes to internal security. The main issue in this case seems to be a lack of training in security awareness and policies. The report stated that 42% of the respondents had received training on how to remain secure at work, and only 57% said that they were aware of the security policies of the company. Educating users on how to approach computer use and to protect themselves from cyber-threats is necessary.
There has been voices denouncing the effectiveness of training users in computer security, such as here and here. But this is a fallacy and it supposes that the training is the be all and end all of IT security, but it’s really just intended to be another layer of defence. IT Security is about reducing risks, and that’s what user education is for.
Some advantages of user awareness education are:
- It helps users to be vigilant about computer use and possible security risks
- It can be a low effort, high impact way of protecting your data
- It may improve the relationship between users and IT if done right
- It can be transformative as users take the lessons to other facets of the organisation or even their lives
I won’t claim that user education is some sort of magic bullet, but it can be a useful weapon against data breaches.
There is another part of the Forrester report that is worth mentioning – that IT departments tend to think to tactical about IT security, choosing instead to focus on technology, such as anti-virus and data loss protection (DLP), to protect against inadvertent actions of users. Even security awareness training for users is a tactic all in itself. What companies need to have is a strategy for protecting their data.
The framework that Forrester defined seems like a good place to start, as it is similar to other frameworks I’ve seen and used. At a high level:
- Classify your data and define which ones you wish to protect.
- Determine how data is being used and what mechanisms are available to protect it.
- Implement the protections.
Remember that your data is a valuable asset, if not the most valuable asset, to your organisation and you must protect it.
What do you think? Do you believe that your company will benefit from security awareness education, or do you think that money and effort is better spent elsewhere? Chime in below.