Employee Error Accounts for Most Security Breaches

Advertisement

security breachesA recent study by a well-known information security company captures one of the most common information security fallacies: that information security is a technology problem. Most businesses view mitigating information security risks as falling squarely in the purview of their information technology department. However, this study reports that human error actually accounted for nearly two-thirds of security compromises, far exceeding causes like insecure websites and hacking.1 While technological measures (e.g., anti-virus software, access controls, firewalls, and intrusion detection systems) are clearly important, their effectiveness pales in comparison to the benefits gained by effective security awareness training.

Just as troubling, another recent study found a 789% increase in e-mail phishing attacks containing malicious code, including ransomware, in the first quarter of 2016 over the final quarter of 2015.2 Phishing, which is an attempt to obtain confidential information or access by fraudulently posing as a legitimate company seeking information via e-mail, instant message or other electronic communication, specifically preys on employees who have not been trained to recognize the scam. A successful phishing expedition can result in the loss of confidential and financial information, system disruption and consumer litigation exposure. Every industry is impacted and at risk.

Advertisement

The results of these studies should serve as a clarion call to businesses. While we have long known that the human component is the key to improved security,3 it is also one of the most neglected areas in many business’ information security programs. Security awareness training for employees is one of the most important and effective means of reducing the potential for costly errors in handling sensitive information and protecting company information systems. Regardless of how much money and effort a business spends on its technological security measures, it cannot achieve an adequate level of security without addressing the human component.

Awareness training can ensure employees have a solid understanding of employer security practices and policies, as well as the tell-tale signs of an attempt to gain improper access to computer systems and confidential information. In contrast, uninformed employees are susceptible to mistakes, malware, phishing attacks, and other forms of social engineering. They can do substantial harm to a company’s systems and place its data at risk. The recent spate of ransomware attacks highlight just how critical the human element really is, as almost every one of those attacks resulted from human error.

Advertisement

First and foremost, it is critical that training programs have the participation of and include input from all relevant stakeholders at the company, including Human Resources, IT, Information Security, Legal, and Compliance.

Advertisement

Key aspects of any successful training program should also include the following:

  • Train on an ongoing basis. Avoid limiting training to when an employee is first hired or assigned to a new role in the organization

  • Train creatively, not just in a non-interactive classroom setting

    Advertisement
  • Look for means to introduce interactivity into the training process

  • Have a means of measuring progress

    Advertisement

To be truly effective, a security awareness program must provide “multiple methods of communicating awareness and educating employees as well (for example, posters, letters, memos, web based training, meetings, and promotions).”[1]

Training can be conducted through a number of means:

Advertisement
  • Classroom sessions

  • Webinars

  • Security posters and other materials in common areas

    Advertisement
  • Brown bag lunches

    Advertisement
  • Helpful hints distributed to employees via e-mail or corporate intranet posts

  • Simulated phishing attacks (e.g., systems that will periodically send phishinge-mail to employees attempting to lure them into clicking on an attachment or a hyperlink and then alerting the employee that they have engaged in an insecure activity)

Additionally, having comprehensive and understandable employee policies is critical to a company’s information security safeguards. Readable and effective policies can be used in conjunction with effective employee training to reduce data security incidents caused by human error.

Finally, one of the most effective ways to increase employee security awareness is to help employees understand that good security practices can also benefit them personally. Being security-aware not only serves to protect their employer’s systems, but also helps in better securing the employee’s own personal data and computers. For example, by being more vigilant in identifying potential phishing attacks at work, the employee will become more vigilant in using home e-mail accounts and thereby protect their own data, photographs, financial accounts, etc.

Advertisement
Advertisement

1https://www.egress.com/news/egress-ico-foi-2016
2http://phishme.com/phishme-q1-2016-malware-review/
3 See, e.g., Common Sense Guide to Mitigating Insider Threats, 4th Edition.http://www.sei.cmu.edu/reports/12tr012.pdf.

Published by

National Law Forum

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.