When you’re responsible for the security of your company’s network — and all the sensitive data contained in it — sometimes you can’t help but dream of a world without users.
When you set up a hardware or software security control — provided you configured it correctly and it’s up to date — you know it will do what it’s supposed to do without fail, never taking a shortcut, experiencing a “brain fart,” or suffering from sheer ignorance.
Employees, on the other hand, need to be constantly reminded to take data security seriously.
And it is serious. The worldwide IT organization CompTIA found in a recent study that human error accounts for over half of all data security breaches. Among those:
- 42 percent were due to users not following policies and procedures.
- 42 percent were caused by general carelessness.
- 31 percent involved “failure to get up to speed on new threats.”
Unfortunately, we trust our search engines and email systems and click away at the first search result or the email that we think our CEO or co-worker sent. By simply clicking on the wrong link in an email, unwittingly downloading a virus-laden attachment or even clicking on a link from a search result a user can wreak havoc on your network. (And that’s not to mention their lax attitudes toward passwords.)
How can you stop them? Your first and best defense is education. But with everything else on their plates, users are not always eager to learn and follow new security practices.
Here are few tips for teaching data security awareness to your company’s employees and making it stick:
1. Do it Often
New security threats arise all the time. Did you know, for example, that viruses embedded in Word Docs and Excel sheets are back? How about the rising risk of malware infected smartphones? And there are viruses for Macs out there even if your Mac friend says there aren’t.
If you’re only teaching your employees about data security when they start work — or even once a year — it’s not nearly enough. Cybercriminals move much too fast.
Conduct ongoing security training, and when new threats inevitably arise, be sure to alert your users. Email is adequate for this, but if your team is small enough, consider a quick powwow at the beginning or end of the workday. Or ask a manager to schedule you a minute or two during a team meeting or have a lunch and learn.
2. Keep it Short
Make your users’ short attention spans work in your favor. Studies show that people retain information better in short bursts, rather than through long winded “info dumps.”
You may know everything there is to know about a particular data threat, but your users just need to know what they can do to protect themselves. Keep it short and to the point, and if users have follow-up questions, answer them one-on-one (unless they’re relevant to the whole group).
3. Make it Real
Engage with a security awareness training vendor to run sponsored, targeted email and other campaigns. These new services allow you to setup and monitor phishing, vishing programs and you can review the results of who your “clickers” are.
These systems are just what the doctor ordered for today’s threats as they condition your end users over time and keep them on their toes. Customized landing pages so the user knows they clicked something they should not have and e-learning and training are part of these programs.
4. Don’t Neglect the C-Suite
Employees look to their leadership to set a good example. But all too often, executives are too distracted to deal with the details of data security.
“If the top executives are not involved directly, it can give the impression that cybersecurity is not a No. 1 priority; employees can do it tomorrow or whenever they have time,” writes veteran security pro Chris Riley.
Executives need to understand: good security practices are as much their problem as everyone else’s. Even more so, in fact. Who will the board blame first when the company lands on the front page of Google News for exposing customer information?
Meet with your company’s upper management regularly to talk about the latest cybersecurity threats. And come prepared to speak the language executives understand most: cost. (The average cost of a data breach has reached $4 million per incident.)
Once you have management on your side, the rest of the employees will follow along much more easily.
5. Get Help
You don’t have to do it alone.
An outsourced IT services provider can do a lot to shore up your company’s data security. In addition to setting up and monitoring anti-malware technology, an expert provider can help you devise a communications plan for instilling best practices among your team.
The right vendor can also help you put together — and most importantly — enforce a data security policy, ensuring your employees adhere to the lessons you’ve taught them.
For more on how an outsourced IT services provider can make your job easier, click below for your free copy of “The Ultimate Guide to IT Outsourcing.”