Of Course, Information Security is Important

One of the most important assets any organization possesses is the information it holds and uses on a daily basis. Protecting and securing this information has become a strategic objective for most businesses and it’s vital to the organization’s success. Just one mishap can wreak havoc on the organizations reputation, business valuation, customer trust, employee morale and confidence, and possibly put the company in legal and regulatory jeopardy. As information security and privacy professionals, you know this all too well. You must balance providing access to critical information, which is the lifeblood of the organization, with protecting this information from intentional, unintentional and/or malicious threats. It’s a difficult and challenging job.

Why Are Most Organizations Still at Risk?

Security technology has helped make information much more secure. Organizations have invested in firewalls, antivirus hardware and software, SPAM filters, Smart Cards, and other such technologies. Additionally, most organizations now have sound data protection policies and procedures in place for dealing with sensitive and business critical information. But even though the technology works, and the data protection policies and procedures are in place, the number and severity of information security breaches are only getting worse. According to the Identity Theft Resource Center (ITRC), 2008 data breaches were up 69% from 2007. Why is that?

According to the Identity Theft Resource Center (ITRC), 2008 data breaches were up 69% from 2007. Why is that?

The missing piece of the equation, as always, is people. In one form or another, human error - not technical malfunction or inadequate business policies - is the most significant risk to protecting data. Based on the 2007 study from the IT Policy Compliance Group, human error is responsible for almost 76% of all data loss.

According to a study from Forrester Research, the average security breach can cost a company between $90 and $305 per lost record.

The human element is typically one of the weakest links in the data protection triangle of technology, business policy, and user awareness and training. While there has been great attention given to protecting data from external threats, evidence shows that it’s the authorized – yet unaware and unversed user – that currently poses the greatest risk to data protection. An effective security awareness and training initiative will address one of the highest risks you face in data protection today – the human element.

Security Awareness Best Practices Why has the human element become one of the biggest risk factors facing data protection today? The answer: the industry has just done a better job of implementing security technology and aggressively pursuing good data protection policies and practices. But we often neglect to remember that it’s humans who have to use technology, implement the policies, and carry out the procedures. It shouldn’t be a surprise that human behavior, one of the hardest issues to deal with, is now at the forefront of risk.

“Investing time and money into securing the organization and its customers can be completely undermined if employees don’t understand their role in the security plan.”
- Luis Navarro, Sr. Security Consultant, Symantec

As security technology has become more effective, we have seen a rise in data protection incidents involving user-focused threats such as malware and social engineering. The human element is under attack like never before and it’s only going to get worse. People need to do more than read a policy to recognize and react properly to data protection threats. People can’t rely totally on technology to keep them safe and out of trouble. Users need to be conversant in good data protection practices and understand their role in keeping critical and sensitive information safe and secure.

Gartner states, “Technology can protect the workforce against external security threats to IT assets, but educating those users will also protect them against themselves.”

COSO makes the assertion that “Internal control is affected by people. It’s not merely policy manuals and forms, but people at every level of an organization.”

The human element is one of the biggest risks facing data protection today.

Other industry experts have joined the chorus calling for more effective user involvement in a “best practice” data protection program:

“Technology alone cannot address one of the most difficult problems to manage in security: the human factor.” – Forrester Research
“Employee negligence (42%) and broken business processes (33%) are considered the top two threats to data.” – Ponemom Institute and Vontu, “U.S. Survey: Confidential Data at Risk Survey”
“Employee misconduct and unintentional actions, like errors and omissions, are the greatest cause of data security breaches.”- Deloitte & Touche

How Can You Lower Your Risk?

An effective awareness initiative can, and should, influence people and change workforce behavior. If it doesn’t, it’s not effective.

An effective awareness and training initiative can, and should, influence people and change workforce behavior. If it doesn’t, it’s not effective. An ineffective user awareness and training initiative is like turning off your firewall. It’s basically worthless. Done right, you should see a measurable improvement in positive workforce behaviors. As workforce awareness and knowledge go up, security and privacy incidents go down. Done incorrectly, or not done at all, you are left “just hoping” that your workforce, partners, and contractors do the right thing at the right time.

An ineffective user awareness and training program is like turning off your firewall. It’s basically worthless.

It makes sense that security and privacy professionals need to proactively manage their risks by constantly assessing and reassessing all the threats and vulnerabilities and to successfully improve data protection controls. If you are serious about data protection, you need to address the human factor in your assessments. This can be accomplished with a good user awareness and training strategy.

Gartner considers “an information security awareness training program to be an essential tool for all companies, regardless of size.”
“Lack of IT security awareness training is the main obstacle to an efficient security program” - Ernst & Young
“Nearly 90 percent of organizations that have implemented awareness training for remote and mobile workers believe that the number of security breaches they’ve encountered has been reduced.” - CompTIA
TRUSTe states that: “Data protection training is not an option – it’s a necessity!”

“Inadequate user awareness is the single most important thing we should tackle.”
- Richard Hackworth, Head of Group IT Security, HSBC

An effective corporate awareness and training program can greatly reduce many risks which cannot be addressed through security technology and policies alone. It can also help create and sustain a data protection “culture” within the organization. And, it doesn’t need to “break the bank” to achieve positive results and increased user involvement.

A good awareness and training initiative should:

Reinforce your corporate culture and/or data protection messaging.
Be integrated and complement your other security and privacy initiatives.
Include content that is tailored and relevant to your business needs.
Be engaging and use different communication methods to clearly set expectations and affect real behavioral change.
Record knowledge attainment and track awareness results.
Be an ongoing process, not just an annual event.

A truly effective awareness and training initiative should support and complement the data protection program as a whole. The initiative should help people understand the implications of good data protection practices and how they relate to their individual role, their group, and the organization. A good awareness program will reduce your risk by helping users understand their obligations, understand their role in data protection activities, recognize data protection threats, and recognize that good data protection practices are important to their personal, as well as the organization’s, success.

Contact us today for a product demonstration or to discuss your awareness and training needs.

	Consulting Services

	Hosted LMS Services

	Staffing Services

	Privacy Awareness & Training Solutions

	Security Awareness & Training Solutions
		Security Awareness
		Security Awareness With Privacy Principles
		Security Awareness For Massachusetts Laws
		Privacy Basics
		PCI Awareness
		Identity Theft "Red Flags" Awareness
		Medical ID Theft "Red Flags" Awareness
		Complying With HIPAA (ARRA HITECH Updates)
		Complying with HIPAA (for Business Associates)
		Responsible Social Networking
		Safe Remote and Mobile Computing
		Implementing Training
		Resources, Articles & White Papers
		Purchase Options

	HIPAA ARRA HITECH Training Solutions

	Business Mentoring & Coaching Solutions