Not a Member? Get access to HR news and resources that you can trust.
HR professionals can play a key role in creating business efficiency—starting with their own department.
Is your employee handbook ready for the New Year? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Get the HR education you need without travel expenses or time out of the office.
We don't just visit a city, we take it over. Join us in NOLA -- June 18 - 21, 2017.
A recent study by U.K.-based Egress Software Technologies, an information security company, refutes one of the most common information security fallacies—that information security is a technology problem.
Most businesses view the responsibility of mitigating information security risks as being squarely in the purview of their information technology department. However, the Egress report reveals that human error actually accounted for nearly two-thirds of security compromises, far exceeding causes like insecure websites and hacking.
While such technological measures as anti-virus software, access controls, firewalls and intrusion detection systems are clearly important, their effectiveness pales in comparison to the benefits gained by providing security awareness training to employees.
Just as troubling, a recent study report from Leesburg, Va.-based information security company PhishMe, the PhishMe Q1 2016 Malware Review, revealed a 789 percent increase in e-mail phishing attacks containing malicious code, including ransomware, in the first quarter of 2016 over the final quarter of 2015.
Humans Are Fallible
Phishing, which is an attempt to obtain confidential information or access to such information by fraudulently posing as a legitimate company or contact seeking information via e-mail, instant message or other electronic communication, tends to work well on employees who have not been trained to recognize these scams. A successful phishing expedition can result in the loss of confidential and financial information, system disruption, and consumer litigation exposure.
Every industry is impacted and at risk.
The results of these studies should serve as a clarion call to businesses. According to the fourth edition of the Common Sense Guide to Mitigating Insider Threats from the Carnegie Mellon Software Engineering Institute, security awareness training is the key to improved security. Yet, it is one of the most neglected areas in many businesses' information security programs.
Security awareness training for employees is one of the most important and effective means of reducing the potential for costly errors in handling sensitive information and protecting company information systems. Regardless of how much money and effort a business spends on its technological security measures, it cannot achieve an adequate level of security without addressing the human component.
Help employees understand that good security practices can benefit them personally.
Awareness training can ensure employees have a solid understanding of employer security practices and policies and can also teach employees the tell-tale signs of an attempt to gain improper access to computer systems and confidential information. In contrast, untrained employees are much more susceptible to malware, phishing attacks and other forms of social engineering. They can do substantial harm to a company's systems and put its data at risk. The recent spate of ransomware attacks highlight just how critical the human element really is, as almost every one of those attacks resulted from human error.
What Effective Training Looks Like
First, it is critical that training programs have the participation of, and include input from, all relevant stakeholders at the company, including those in the human resources, information technology, information security, legal and compliance departments.
A successful training program should:
Additionally, comprehensive and understandable employee policies are critical to a company's information security safeguards. Readable and effective policies can be used in conjunction with effective employee training to reduce data security incidents caused by human error.
Finally, one of the most effective ways to increase employee security awareness is to help employees understand that good security practices can also benefit them personally. Being security-aware not only serves to protect their employer's systems, but also helps in better securing the employee's own personal data and computers. For example, by being more vigilant in identifying potential phishing attacks at work, employees will become more vigilant in using home e-mail accounts and thereby better able to protect their own data, photographs, financial accounts, etc.
To assist businesses in effective security awareness training, we have developed this Employee Information Security Checklist, which highlights key areas for employees to better protect not only their employer's systems and data, but also their personal systems and data.
Michael R. Overly, Eileen R. Ridley and Chanley T. Howell are attorneys with Foley & Lardner LLP, an international law firm based in Milwaukee.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
HR Education in a City Near You
SHRM’s HR Vendor Directory contains over 3,200 companies