How to Educate Employees on Keeping Data Safe
Join the DZone community and get the full member experience.Join For Free
Security breaches are serious business. Some breaches can end up costing even the average small business up to $200,000 based upon all the effort that goes into recovering from one. You can have the latest, state-of-the-art security systems, unbreakable passwords, the strongest firewalls, and the smartest IT personnel around, and it still might not matter. That’s because the increased security risk might not come from outside the organization but from within--specifically from the employees. Employees can open the door to all sorts of heightened security risks, often through no fault of their own. According to one recent survey, 59% of businesses say their most recent security breach was caused by human error. Employees can represent the weak point in an organization’s suit of armor, so it has become imperative that workers are taught how to keep company data safe. Every business will have different ideas on how to accomplish this, but a few strategies appear to be the most effective.
While it may be clear to business leaders, it bears repeating that employees often engage in behaviors that can increase the risks of a security breach. In a recent report, a survey of hundreds of IT leaders showed that 84% of employees use personal emails to send files filled with sensitive data. This isn’t a rare occurrence either. In fact, the survey indicated that more than half of employees who do this do it at least once a day. That’s not to say employees are willfully exposing valuable company data, only that in the course of their duties, workers find it more effective to move large files with personal accounts and not the tools provided by the company. Other bad behaviors may include downloading at-risk apps, ignoring company policies, or falling for social engineering scams. The key to preventing these bad behaviors and increasing computer security is educating employees in the best manner possible.
In many instances, employees simply aren’t aware of the type or severity of threats out there related to security. A simple training session when they begin employment won’t cut it. Training sessions should be an ongoing event, with frequent updates about the latest scams employees are likely to face. Training should also be done based on the role each employee in the company has. A sales representative has different responsibilities than an accountant, and they’re likely to encounter different security threats, so training them according to what they’re most likely to face is a wise move. Even if no new ground is covered in training, employees should be constantly reminded of safe security practices. Many companies find it helpful to have a monthly newsletter that outlines the security threats covered in new stories. The main point is that awareness is increased among employees, decreasing the chances their behavior leads to unintended consequences.
The How and Why
Most companies will enact security policies meant to curb risky behavior, but many employees find it easy to ignore the rules. For this reason, companies shouldn’t just tell employees what they should be doing; they should be explaining the how and why behind the rules. For example, it’s one thing to tell employees they should always use strong passwords to protect their accounts from cyber attacks. It’s another thing to explain why the passwords are important (phishing scams, social engineering) while also providing examples of what makes a password strong. The same goes for proper usage of the internet. Companies that advise employees not to go to suspicious sites will get less of a reaction then companies that provide a list of sites to avoid.
A Personal Touch
When all else fails, taking the personal approach to employee education can be quite effective. Some employees may not take security threats seriously since the bulk of the damage will be taken by the company. Applying the threats in a more personal way, however, will likely get their attention. People know why they protect their personal information, like using PIN numbers and securing important documents. Companies take added security measures for the same reason. If that fails, employees should know they may be punished should they be found responsible for a security breach. If the potential punishment includes possibly losing a job, employees are definitely going to see security as a responsibility they need to manage.
While no security system will be perfect, employees are often the first line of defense against cyber attacks. A knowledgeable workforce will have a better shot of keeping company data safe than one that is lax in its efforts. It’s in an organization’s best interests to educate its employees about the risks out there. Secure data means greater chances for future success for a company.
Opinions expressed by DZone contributors are their own.