In the recent wake of JP Morgan and Sony’s large scale security breaches, businesses are beginning to question the quality of their IT security tools and processes. Many are looking to the IT department, both for answers and for someone to blame. This is not surprising; a recent UK survey by SolarWinds has found that 84 per cent of IT Pros reported that their organisations have experienced a significant attack.
The reality is that human error is still the root cause for many network mishaps and attacks. While top of the line security systems can prevent technical problems, businesses also need to protect the network from company employees who use the systems day in day out, and often unwittingly put the network at risk.
A shocking 39 per cent of UK IT Pros said their organisations either do not have defined security best practices or, if they have them, do not regularly follow them. To be able to compete and survive in 2015, companies must define best practices for their organisation and implement security policies. When a new process or policy is established, security training must be conducted across the entire business to ensure these processes are implemented and followed appropriately to reduce risk.
It seems simple, but the best way to protect a company is to make sure that staff at all levels, from your admin clerk to your CEO, understand the security risks associated with accessing unsafe websites, storing and accessing data via unsecure cloud services, using weak passwords and not properly encrypting sensitive information. Implementing technical controls to limit user permissions are necessary, but not strong enough on their own. The best way to protect your company and reduce risk is a combination of technical controls and employee education.
Training and understanding is vital, and in order to avoid human error, a human-centric approach to information security must be adopted. IT and HR departments need to work closely together to develop in-depth, easy to understand training programmes that can be rolled out across the business. Additional buy-in from senior management is also required to allow employees to take the time out of their day to attend such training sessions.
IT security is constantly evolving, and employees need to be educated regularly on how to keep themselves and their business secure. Attending one training session as part of a new employee orientation is simply not sufficient. Conducting simple and relevant internal security workshops will help employees learn about breaches and their potential impact on the business – perhaps even encouraging employees to become aware of their own personal IT security.
Nevertheless, employees are far more likely to support policies and procedures once they fully understand the consequences and reasons behind them. Businesses must be prepared to invest in training for the long term. And as your business network continues to develops and become more complex, so must your employees’ educational journey.