It’s a truism that educating employees is one of the most important steps to preventing security breaches in the workplace. In fact, one survey found that two thirds of the professionals charged with data protection and privacy training point to employees as the largest source of failure in corporate IT security measures.
Surprisingly, though, businesses are not taking the obvious next step: ensuring that employees receive education on data security. The survey found that just 35% of senior leadership considers this kind of education to be a priority. This is despite the fact that an estimated 60% of employees lack knowledge of IT security risk, policies, and best practices.
FOLLOW A STRAIGHTFORWARD PATH TO EMPLOYEE EDUCATION ON DATA SECURITY
The good news is that it may be relatively straightforward to remediate this security situation. As with most projects, you need both a plan and an executive sponsor. If employee security training is not a priority at your business, odds are that you don’t have a CISO. Alternatives in the C-suite that make good candidates for sponsoring an IT education project include the CIO, CTO, and the Chief Human Resources Officer.
The remediation plan itself will include a minimum of three phases. Who ends up on the hook for creating and executing that plan depends in part on who your executive sponsor turns out to be. It’s always a safe bet to engage qualified third parties for this part of the process.
TAKE A PHASED APPROACH TO EDUCATING EMPLOYEES ON IT SECURITY
Preparing employees to be a key part of your overall IT security strategy is not a one-and-done activity. It is an ongoing process that usually takes place in distinct phases. In the first phase, you establish a baseline of data security education company wide. This means that every employee must undergo training on your company’s IT policies and best practices.
It is worth noting here that the purpose of the training, in this case, is to ensure that all employees have the same basic level of knowledge about IT security as it applies to your business. There is another level of training, not covered here, that is role based. That is specialized training that relates to the specific roles that employees have in the organization.
MAKE SURE EVERYONE GETS AT LEAST THE BASIC LEVEL OF TRAINING
Customer service specialists may require specific security training that differs from accounting and product development training. Here, we are concerned only with the basics. For both the training and for the overall plan development, you can get the job done using internal resources but can likely get it done more quickly, efficiently, and effectively with third-party assistance.
The next phase in the plan relates to new hires. The same baseline security training that you require of all current employees should become a part of the onboarding process for new employees. This ensures that everyone is on the same level of preparedness for the third phase of the plan.
The final phase of the plan is to deliver ongoing security training updates at set intervals throughout each employee’s tenure with the company. This commonly takes the form of mandatory annual refresher training. There are two key benefits to annual refresher courses. The first is simply awareness. It is all too easy to forget best practices over time, so a regular heads-up helps keep them top of mind. The second benefit, as you might expect, is keeping employees up to date on the new forms of cyberattacks. Cybercriminals are persistent and innovative, and your business will need to keep pace.
If you are interested in learning more about IT Security Challenges, we invite you to check out, Evolving Challenges in IT Security.