Security Awareness Education: A Benefit in Increasing Security Compliance

Practical Security Awareness Program Strategies that Help Minimize Cybersecurity Risk (answers to common questions)

The increasing number of internal and external security threats and events within the U.S. have prompted organizations to review their security policies, procedures and other controls. Corporate giants that spend hundreds of thousands of dollars on data and information protection and physical security have fallen victim to high profile security breaches in recent years, resulting in the theft of sensitive customer information and affecting millions of sensitive customer records. Individual consumers have also fallen victim to elaborate scams and malicious electronic processes that steal personal data. It is evident that organizations need to do more to protect their data and implement programs that continuously measure and improve upon security processes. The results from this study suggest that security awareness education does more than contribute to security compliance. If implemented correctly, security awareness programs facilitate the creation of a security aware business culture within the organization and ensure an environment that continues to improve security compliance and minimize the risk of security incidents within the organization.

 

Few would argue the need for information security policy in today’s workplace, for remote workers, and society at large. Passwords to obtain access to certain files and applications, virus protection software and security appliances and/or procedures that protect our internal and remote computer networks, financial transactions and identities from online intruders with malicious intent are commonplace but technology is not enough.  Most organizations implement these types of controls along with information security policies to help protect sensitive company information. The burning question is how do employers ensure that employees comply with company security policy? How can an employer influence an employee’s knowledge and attitude toward security policy? In other words, how can an employer increase security awareness and will that awareness increase employee compliance related to the company’s information security policies? Research shows that properly implemented Information Security Awareness Education programs increase security compliance in the workplace because this education expands employee participation and knowledge, empowers the employee and the employer, and creates a security aware business culture within the organization.

 

What is Security Awareness Education?

Security Awareness Education is a knowledge or training program within an organization that provides information to employees on potential threats to an organization’s valuable and /or sensitive corporate assets including information, and more importantly, defines an employee’s role in helping to protect those assets.  Information categorized as “sensitive” could include financial data, trade secrets, passwords, email exchanges or personal customer or employee information. Valuable assets could include corporate documents, products or equipment. Effective security awareness education includes training on the importance of corporate data or other assets, how those assets are processed, controlled and protected; training on how security practices and procedures are carried out in relation to the employee’s responsibilities within the organization, how security policies are enforced and how training effectiveness is measured and modified for continuous improvement.

 

Why do Organizations Need Security Awareness Education?

 Research suggests that the majority of all security incidents or breaches occur as a result of employee mistakes or improper conduct and a lack of adequate security policies and procedures. Organizations are more vulnerable to information security breaches because of the increase in the number of computer networked and internet connected devices. Individuals or groups with malicious intent can steal valuable information or harm organizations by obtaining unauthorized information electronically or from an employee who is unaware of the rules regarding disclosure or other appropriate protection mechanisms. These individuals can use that information to gain access to coveted documents or physical or financial assets. The National Institute of Standards and Technology publishes government standards on many aspects of information security and risk management including security awareness education and ransomware because of vulnerabilities to security breaches and the risk of breach from so many groups with malicious intent. Some of the largest organizations in the nation have experienced serious security breaches in recent years and some have experienced significant loss of revenue and damages to their reputation in their respective industries. Here are just a few examples of breaches last year caused by human error: 

On January 22, 2020 Microsoft disclosed a data breach that took place December 2019 that exposed 250 million records. In a blog post, the company said a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data. The misconfiguration was specific to an internal database used for support case analytics, Microsoft says, and did not represent an exposure to its commercial cloud services.

On April 20, 2020, a major health system reported that information of 112,000 records of employees and patients were accessed by a malicious actor after compromising employee email accounts through a phishing attack. The information accessed included names, birth dates, social security numbers, driver’s license numbers medical condition data and bank account data.

Symantec reported that after declining in 2019, phishing increased in 2020 to account for 1 in every 4200 emails (Varonis).

 

The Success of Security Awareness Training 

Following security awareness training, employees are empowered with knowledge to identify and report attempted security breaches immediately, thereby migrating the risk of a significant security incident; identify sensitive information and other valuable assets and how to protect them and thwart the attempts of deceptive social engineering (employees are deceived into willingly supplying sensitive information by phone or in person) or email schemes (employees are enticed into clicking on or opening destructive email links or attachments) that could steal important data via files unknowingly installed on their computer systems. (Gardner, Thomas, 2014). Figure 1 outlines the key components connected to successful training outcomes. This includes senior management participation and aligning training information with relatable employee roles and responsibilities.

Figure 1 - Process Components for Successful Security Awareness Education

#ckvpz3o1e000001s66ccofqki#

  Summary 

You can obtain more information on building an effective Security Awareness Program from the National Institute of Standards and Technology's Computer Resource Center.  ____________________________________________________________   

The SecureScape Bulletin is your go-to-resource for practical Project, Program, IT Risk Management and Performance information updates. Also tune in for Special Reports on Business Resilience and Growth.

For more questions about this article or more information, visit the SecureScape Analytics "Contact Us" page at https://securescape.com