By Mette Søs Gottlieb, Learning Expert
Employees continue to be the most significant risk factor when it comes to security. According to a study by Kaspersky Lab, 52% of businesses say employees are their biggest weakness in IT security, with their careless, unintentional actions putting business cybersecurity at risk. According to various other studies, human error accounts for the majority of data breaches, as much as 60 to 90%.
In the majority of instances, it’s not intentional action that’s to blame but rather a lack of education and/or diligence. (Of course, there will always be malicious actors, but that’s a whole other situation.) This is why organizations need to bake security training into their regular operations and create a culture of continuous training.
A 2018 study by risk management firm Kroll found that human error accounted for 88% of security incidents in the UK. A 2020 Gallagher survey reported that 60% of data breaches were inadvertently caused by humans. While the numbers vary from survey to survey, the overarching consensus is that human error accounts for far too many cyber incidents. And a recent Ponemon Institute report found that the number of insider-caused cybersecurity incidents has increased by 47% since 2018. The problem is getting worse, not better.
Errors run the gamut. The most common human mistakes include clicking on links sent via email, opening unknown attachments and entering personal or confidential information into what seems like a friendly and familiar website where the user has an account. These errors are driven by social engineering—the technique by which hackers take advantage of typical human behavior.
According to a recent study by Barracuda Networks, 46% of respondents had experienced at least one security incident since lockdown restrictions were in place; 51% saw an increase in email phishing attacks.
Multiple factors are at play here. For starters, many organizations rushed into a work-from-home strategy, which means some security measures may have been given less attention or were overlooked entirely. The other key factor again comes down to human behavior. Research from Tessian revealed 52% of employees believe they can get away with riskier behavior when working from home, including sharing confidential files via email instead of more trusted methods. They’re often using their own devices and networks, which adds further complications.
Employees cannot be held solely responsible for these errors; the fault lies jointly with their employers. The fact is that most companies aren’t putting enough money into training when they make technology investments. Organizations routinely spend as much as 85% of their IT budget on technology and only 5% on education and training for that technology. With stats like these, it’s a wonder that more human errors don’t occur.
Companies are spending increasing amounts of money on upholding the IT security of their business—implementing tools such as multi-factor authentication and advanced firewalls—but tools alone aren’t enough to guarantee optimal cybersecurity. Security training that simply but effectively highlights the importance of employee actions will create greater awareness and ensure the organization can enjoy the flexibility of a modern digital workplace while remaining secure.
As part of this shift, more time and effort need to be spent on cybersecurity hygiene. Cyber hygiene is a collective term for the practices and steps that users of computers and other devices take to maintain system health and improve online security. Breaches aren’t the only thing good cybersecurity hygiene can address; it also can help with preventing data loss, misplaced data and more.
Companies must have a cybersecurity hygiene policy in place that includes a specific training and education component—these are not things that can be taken for granted that employees know. Security is now part of everyone’s job and training must be baked in to make that fact explicit.
Security threats are continually evolving and changing. Consequently, so should the training and education about them. Training isn’t a one-and-done, point-in-time need or merely an onboarding activity. It must be embedded in the daily and weekly operations of your organization. The best way to accomplish this is by making the training easily accessible to employees, whenever and wherever they are.
Learning management systems were created to facilitate this kind of training. With educational modules located in a central repository, it becomes easier to train your employees on the risks, tools and procedures that surround cybersecurity. This empowers them to be on the front line for prevention of cyberattacks and data breaches.
With a learning management system, you can also easily share important security updates (regulations, software updates and so on) and information to all segments of the organization and make it available to employees at all times. You also can provide training that’s specific to an employee’s job role, location or specialization.
It’s not entirely fair to repeat the adage that employees are an organization’s greatest security liability when so little time and resources are devoted to training them on new technologies and on basic cyber hygiene. This is particularly important with the explosion of remote workers and the increased risk this “new normal” represents. Given the volume of cyber incidents caused by human error, employers must rethink their security training approach to help their employees practice solid security measures. They must also ensure that this is a continuous effort built into daily operations.