When business leaders talk IT security, they are usually referring to two things: security technology itself and the IT workers who implement it. That’s not the whole story, however.
On the one hand, there’s the software and hardware (firewalls, anti-virus programs, appliances and the like) deployed at the office and on the network to protect company data and technology. On the other hand, there’s the staff tasked with supporting these tools. But technology and the IT team encompass just two components of a much larger security puzzle.
The important piece that is missing: the employee. Without effective security policies, awareness and skills development programs in place, all the technology in the world won’t fully protect a business.
Educating workers to companywide security initiatives and helping them to acquire the skills necessary to proactively take part in protecting business data is a critically important step. The move to highly virtualized and cloud-friendly computing environments perhaps makes it seem as if all the important security work is going on elsewhere. It’s not. The workforce still plays a central role in keeping IT assets safe and sound.
According to the SANS Institute, a leading provider of IT security training and certifications, employee security training should include classroom-style education, the creation of an in-house security awareness website, the consistent sharing of helpful hints and reminders, the use of visual aids such as posters to promote proven security strategies at work, and the distribution of flyers and other types of promotional materials that stress the reality of data breaches and offer tips to prevent them.
“These methods can help ensure employees have a solid understanding of company security policy, procedure and best practices,” writes the SANS Institute in its report on security awareness training.
As so-called digital natives take over the workplace, it has become increasingly easy to overlook the need for these types of security awareness and training initiatives. After all, these are people who have always been connected and often regularly share personal information digitally. Shouldn’t they intuitively care about security and know to take appropriate precautions with company data assets and systems? Unfortunately, that’s not always the case.
Always being able to store personal data electronically has made many of the youngest individuals in the workforce less likely to be concerned with data protection. They take security for granted, as a given, expecting technology and organizations to adequately protect their private information. What should be even more concerning to business is that for many millennials, the line between public and private is far more porous than for those born before the digital age.
Symantec notes in its “2013 Cost of Data Breach Study” that more than a third of worldwide data breaches result from the “human factor” — employees or contractors who simply made mistakes. Many of those errors could have been avoided with adequate security awareness and training.
The number of breached records averaged 23,647 per organization in 2012, according to Symantec. At an average cost of $130 to $136 per breach worldwide, that is a steep price for any business to pay.
If more companies implemented comprehensive security awareness and training programs, those numbers would almost certainly come down. These types of initiatives matter as much as ever in the workplace — maybe even more so.