Subscribe

Teach protective behaviour

Employee training and education is vital if companies want to reduce the risk of cyber attacks.

Grant Shortridge
By Grant Shortridge, Executive head of Striata Commercial Solutions.
Johannesburg, 29 May 2018
Grant Shortridge.
Grant Shortridge.

Today, companies of all sizes are vulnerable to data breaches. From financial institutions to social networks and retail giants, there are few industries that haven't been impacted by a significant data breach in the past few years.

These attacks can come at a massive cost to the company, with each stolen record only driving up the cost further.

According to a 2017 study by IBM and the Ponemon Institute, the average total organisational cost of a data breach in SA was R32 360 000. That's up 12% from the previous year. The cost per lost or stolen data record went up by 5% in the same period.

While the majority of data breaches still come from malicious and criminal cyber attacks, as many as 29% of South African data breaches are as a result of employee human error (such as opening an attachment on a phishing e-mail). System glitches and business process failures, meanwhile, represented 28% of all data breaches. Data breaches as a result of human error are also marginally more expensive, at R1 432 per capita, than those arising from glitches and process failures (R1 425 per capita).

While the effects of a data breach resulting from human error are costly, employee education can dramatically reduce the likelihood of one happening.

Despite this, IBM and the Ponemon Institute found 40% of companies have no plans in place for training and awareness programmes among their staff. Not only do these companies put themselves at greater risk of cyber attacks, they may soon face stiff penalties for failing to adequately protect the data they hold.

Once the Protection of Personal Information Act comes into effect, for example, companies could face fines of up to R10 million, with executives facing a possible 10 years in jail if data is stolen or leaked.

As such, there are clear incentives for prioritising training and education as a means of reducing the threat of cyber attacks. But, what should these initiatives look like?

Ongoing training

First off, companies need to remember that security training and education should be an ongoing project. What was adequate a year ago may not be adequate today.

Fraudsters have adopted increasingly sophisticated methods in recent years. Take e-mail, for example. Here, criminals have gotten better at mimicking the look and feel of legitimate e-mails. Once obvious "tells", such as non-official e-mail addresses, are more easily masked these days, which means even people who would once easily have spotted a suspicious e-mail can now be duped.

While cyber criminals have evolved, so have the technologies and solutions used to defend against them. But the people building these defences are in a technological arms race with the cyber criminals, making it impossible to rely on a single technical solution.

This arms race scenario means a multi-pronged approach is needed. Educating employees and customers about new forms of fraud and how to evade them should be as much of a priority as patching systems and implementing new security measures.

The right training

It is, of course, vital that employees don't just receive alerts about the latest threats, but information on how they can change their own behaviours to minimise those threats. After all, the easiest way for hackers to gain access to protected information is by compromising an employee's access.

Once they comprehend this, employees are more likely to engage with training around what could happen, how to recognise it and how to avoid being the point of failure in a data breach.

They're also more likely to ensure they understand and abide by the company's security and compliance measures.

Any company that gets this training right will be staffed with employees much less likely to be duped than would otherwise be the case.

Sweeping up

Employee training and education don't just make a difference when it comes to preventing cyber attacks; they also play important roles in reducing the impact of any cyber attacks that do take place.

According to IBM and the Ponemon Institute, employee training reduces the average per capita cost of a data breach by R65. That may not seem significant, but when multiplied by the hundreds of thousands, or even millions, of individual records a large company has, it quickly adds up.

To get the most out of employee education and training, a company shouldn't just concentrate on preventing cyber attacks, but ensure its employees know what to do if an attack happens.

Be consistent, involve everyone

While there are clear benefits to employee education and training, it's important to remember it cannot be a once-off thing. It has to be consistent and, perhaps most importantly, it has to involve everyone in the company, from the people staffing the reception desks to the CEO.

Don't make exceptions. Remember, it takes just one weak point to compromise the whole company.

Share