By Mette Søs Gottlieb, Learning Expert
People are still a company’s most valuable resource – and its greatest threat. When it comes to cybersecurity, human error is responsible for up to 60% of data breaches. Aside from malicious actors, a lack of education and/or diligence is to blame rather than intentional action. This is why organizations need to embed security training into their regular operations and create a culture of continuous training.
A 2020 Gallagher survey reported that 60% of data breaches were inadvertently caused by humans. While the numbers vary from survey to survey, they agree that human error accounts for far too many cyber incidents. And a recent Ponemon Institute report found that the number of insider-caused cybersecurity incidents has increased by 47% since 2018. The problem is increasing, not improving.
All sorts of human error are possible. Phishing remains among the top attack types because people naivelyclick on links sent via email. Other popular errors include opening unknown attachments and entering personal or confidential information into what seems like a friendly and familiar website where the user has an account. These errors are driven by social engineering – the technique by which hackers take advantage of typical human behavior.
Since lockdown restrictions have been put in place, 46% of respondents to a recent study by Barracuda Networks had experienced at least one security incident; 51% saw an increase in email phishing attacks.
There are several reasons behind this. One is the sudden remote work mandate, which caught
many organizations off guard.Some security measures may have been given less attention or were overlooked entirely. The other key reasonagain comes down to human behavior. Research from Tessian revealed 52% of employees feel like they can get away with riskier behavior when working from home, including sharing confidential files via email instead of more trusted methods.They’re often using their own devices and networks, which adds further complication.
Though employees commit such missteps, employers must share the blame. The fact is that most companies aren’t putting enough money into training when they make technology investments. Organizations routinely spend as much as 85% of their IT budget on technology and only 5% on education and training for that technology.
Organizations are allocating more budget to enhance cybersecurity – implementing tools such asmulti-factor authentication and advanced firewalls – but tools alone aren’t enough. Security training that highlights the importance of employee actions will create greater awareness and ensure your organization can enjoy their digital workplace while remaining secure.
Cyberhygiene is a collective term for the practices and steps that users of computers and other devices take to maintain system health and improve online security. As part of the shift toward training, more time and effort need to be spent on this topic. Breaches aren’t the only thing good cybersecurity hygiene can address – it can also help with preventing data loss, misplaced data and more.
Organizations need to implement and train on a cybersecurity hygiene policy– these are not things you can safely assume employees know. Security is now part of everyone’s job, and training must be embedded to make that fact explicit.
The threat landscape changes constantly, and so must your training and educationefforts.Training isn’t a one-and-done, point-in-time need or merely an onboarding activity. It must be embeddedinto the daily and weekly operations of your organization. The best way to accomplish this is by making the training easily accessible to employees, whenever and wherever they are.
With educational modules located in a central repository, it becomes easier to train your employees on the risks, tools and procedures that surround cybersecurity. Learning management systems were created to facilitate this kind of training. It empowers them to be on the front line for prevention of cyberattacks and data breaches.
A learning management system has other benefits. You can easily share important security updates (regulations, software updates and so on) and information to all segments of the organization and make it available to employees at all times.You also can provide training that’s specific to an employee’s job role, location or specialization.
If you’ve got a cybersecurity problem, it could be that you have a training problem. Educating your employees is all the more critical in today’s remote work environment and its added risks. With data showing a significant percentage of breaches is caused by human error, it’s time to up your security training game. Not just during this disruptive season but as part of a culture of training.