[BreachExchange] Employee Error Accounts for Most Security Breaches

[Audrey McNeil]

http://www.natlawreview.com/article/employee-error-accounts-most-security-breaches

A recent study by a well-known information security company captures one of
the most common information security fallacies: that information security
is a technology problem. Most businesses view mitigating information
security risks as falling squarely in the purview of their information
technology department. However, this study reports that human error
actually accounted for nearly two-thirds of security compromises, far
exceeding causes like insecure websites and hacking.1 While technological
measures (e.g., anti-virus software, access controls, firewalls, and
intrusion detection systems) are clearly important, their effectiveness
pales in comparison to the benefits gained by effective security awareness
training.

Just as troubling, another recent study found a 789% increase in e-mail
phishing attacks containing malicious code, including ransomware, in the
first quarter of 2016 over the final quarter of 2015.2 Phishing, which is
an attempt to obtain confidential information or access by fraudulently
posing as a legitimate company seeking information via e-mail, instant
message or other electronic communication, specifically preys on employees
who have not been trained to recognize the scam. A successful phishing
expedition can result in the loss of confidential and financial
information, system disruption and consumer litigation exposure. Every
industry is impacted and at risk.

The results of these studies should serve as a clarion call to businesses.
While we have long known that the human component is the key to improved
security,3 it is also one of the most neglected areas in many business’
information security programs. Security awareness training for employees is
one of the most important and effective means of reducing the potential for
costly errors in handling sensitive information and protecting company
information systems. Regardless of how much money and effort a business
spends on its technological security measures, it cannot achieve an
adequate level of security without addressing the human component.

Awareness training can ensure employees have a solid understanding of
employer security practices and policies, as well as the tell-tale signs of
an attempt to gain improper access to computer systems and confidential
information. In contrast, uninformed employees are susceptible to mistakes,
malware, phishing attacks, and other forms of social engineering. They can
do substantial harm to a company’s systems and place its data at risk. The
recent spate of ransomware attacks highlight just how critical the human
element really is, as almost every one of those attacks resulted from human
error.

First and foremost, it is critical that training programs have the
participation of and include input from all relevant stakeholders at the
company, including Human Resources, IT, Information Security, Legal, and
Compliance.

Key aspects of any successful training program should also include the
following:

Train on an ongoing basis. Avoid limiting training to when an employee is
first hired or assigned to a new role in the organization

Train creatively, not just in a non-interactive classroom setting

Look for means to introduce interactivity into the training process

Have a means of measuring progress

To be truly effective, a security awareness program must provide “multiple
methods of communicating awareness and educating employees as well (for
example, posters, letters, memos, web based training, meetings, and
promotions).”[1]

Training can be conducted through a number of means:

Classroom sessions

Webinars

Security posters and other materials in common areas

Brown bag lunches

Helpful hints distributed to employees via e-mail or corporate intranet
posts

Simulated phishing attacks (e.g., systems that will periodically send
phishing e-mail to employees attempting to lure them into clicking on an
attachment or a hyperlink and then alerting the employee that they have
engaged in an insecure activity)

Additionally, having comprehensive and understandable employee policies is
critical to a company’s information security safeguards. Readable and
effective policies can be used in conjunction with effective employee
training to reduce data security incidents caused by human error.

Finally, one of the most effective ways to increase employee security
awareness is to help employees understand that good security practices can
also benefit them personally. Being security-aware not only serves to
protect their employer’s systems, but also helps in better securing the
employee’s own personal data and computers. For example, by being more
vigilant in identifying potential phishing attacks at work, the employee
will become more vigilant in using home e-mail accounts and thereby protect
their own data, photographs, financial accounts, etc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160608/f1eebe2b/attachment.html>