This Month Only! >> $20 off and a FREE SHRM tote with your membership and code TOTE2018!
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
A recent study by U.K.-based Egress Software Technologies, an information security company, refutes one of the most common information security fallacies—that information security is a technology problem.
Most businesses view the responsibility of mitigating information security risks as being squarely in the purview of their information technology department. However, the Egress report reveals that human error actually accounted for nearly two-thirds of security compromises, far exceeding causes like insecure websites and hacking.
While such technological measures as anti-virus software, access controls, firewalls and intrusion detection systems are clearly important, their effectiveness pales in comparison to the benefits gained by providing security awareness training to employees.
Just as troubling, a recent study report from Leesburg, Va.-based information security company PhishMe, the PhishMe Q1 2016 Malware Review, revealed a 789 percent increase in e-mail phishing attacks containing malicious code, including ransomware, in the first quarter of 2016 over the final quarter of 2015.
Humans Are Fallible
Phishing, which is an attempt to obtain confidential information or access to such information by fraudulently posing as a legitimate company or contact seeking information via e-mail, instant message or other electronic communication, tends to work well on employees who have not been trained to recognize these scams. A successful phishing expedition can result in the loss of confidential and financial information, system disruption, and consumer litigation exposure.
Every industry is impacted and at risk.
The results of these studies should serve as a clarion call to businesses. According to the fourth edition of the Common Sense Guide to Mitigating Insider Threats from the Carnegie Mellon Software Engineering Institute, security awareness training is the key to improved security. Yet, it is one of the most neglected areas in many businesses' information security programs.
Security awareness training for employees is one of the most important and effective means of reducing the potential for costly errors in handling sensitive information and protecting company information systems. Regardless of how much money and effort a business spends on its technological security measures, it cannot achieve an adequate level of security without addressing the human component.
Help employees understand that good security practices can benefit them personally.
Awareness training can ensure employees have a solid understanding of employer security practices and policies and can also teach employees the tell-tale signs of an attempt to gain improper access to computer systems and confidential information. In contrast, untrained employees are much more susceptible to malware, phishing attacks and other forms of social engineering. They can do substantial harm to a company's systems and put its data at risk. The recent spate of ransomware attacks highlight just how critical the human element really is, as almost every one of those attacks resulted from human error.
What Effective Training Looks Like
First, it is critical that training programs have the participation of, and include input from, all relevant stakeholders at the company, including those in the human resources, information technology, information security, legal and compliance departments.
A successful training program should:
Additionally, comprehensive and understandable employee policies are critical to a company's information security safeguards. Readable and effective policies can be used in conjunction with effective employee training to reduce data security incidents caused by human error.
Finally, one of the most effective ways to increase employee security awareness is to help employees understand that good security practices can also benefit them personally. Being security-aware not only serves to protect their employer's systems, but also helps in better securing the employee's own personal data and computers. For example, by being more vigilant in identifying potential phishing attacks at work, employees will become more vigilant in using home e-mail accounts and thereby better able to protect their own data, photographs, financial accounts, etc.
To assist businesses in effective security awareness training, we have developed this Employee Information Security Checklist, which highlights key areas for employees to better protect not only their employer's systems and data, but also their personal systems and data.
Michael R. Overly, Eileen R. Ridley and Chanley T. Howell are attorneys with Foley & Lardner LLP, an international law firm based in Milwaukee.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Become a SHRM Member
SHRM’s HR Vendor Directory contains over 10,000 companies