More than 56 percent of corporate employees have not received security or policy awareness training from their organizations, according to Enterprise Management Associates (EMA)’s recent survey, Security Awareness Training: It’s Not Just for Compliance of more than 600 non-IT and non-security staffers.
This is a problem for organizations, because without training people may repeat their unsafe personal cybersecurity habits in the workplace, with more damaging consequences. Clicking on a link in an email can release malware that can infect hundreds of machines in seconds or open up a path for data theft. These individuals may not even know they’re doing anything wrong until it’s too late.
Companies need to educate all employees about security threats so that they can prevent attacks at home and in the workplace. This will allow employees to establish solid security habits that become the rule rather than the exception.
The EMA study shows employees have some poor habits when it comes to cybersecurity:
- 30 percent leave mobile devices unattended in their vehicles.
- 33 percent use the same password for both work and personal devices.
- 35 percent have clicked on a link contained in an unsolicited email.
- 58 percent store sensitive information on their mobile devices.
- 59 percent have admitted storing work information in the cloud.
The lack of security awareness is obvious. Some basic training that makes all employees aware of their security responsibilities can prevent future breaches.
When we consider security in a discussion like this, we tend to think of firewalls, intrusion detection systems or advanced malware protection. However, these activities are the responsibility of the IT organization, or more specifically, the security specialists within that organization.
Herein lies the problem. In this model, security is always someone else’s job. If asked, the vast majority of people in any organization do not see themselves as part of the security infrastructure. Considering that the majority of security breaches worldwide are caused by employees who are unaware of their poor security practices, the necessity of a paradigm shift in the way we think of IT security becomes obvious.
Let’s take a look at some different types of organizations (outside of large corporations) and some security challenges. Our goal should be to create a level of security awareness in all aspects of our lives so they become second nature, whether at home or on the job.
For families and parents, the online safety of children and family members is paramount. We need content protection on Internet browsers for our children, as well as monitoring their social interactions to ensure their safety. By protecting our computers, we keep our precious family assets such as photos, videos and personal financial information from hackers. If we understand the need for security awareness in our private lives, it will become a more natural consideration in our professional lives.
For faculty, staff and students, the Internet has provided huge learning opportunities as well as risks. Learning how to protect computers and engage in appropriate online behavior will reduce vulnerabilities and create a safer online environment. Students, teachers and administrators need to understand how to protect themselves, and must understand the link between the online and “real” world. In today’s immersive online culture, where the lines become blurry and have very real consequences, it is important to constantly define the difference for our children.
Small- and Medium-Size Businesses (SMBs)
Small- and medium-sized businesses face critical challenges due to limited resources and information, as well as competing priorities. The speed at which technology is evolving makes it difficult to stay current with security because SMBs tend to have more limited IT budgets.
However, better security awareness and planning can help these businesses protect their intellectual property and trade secrets, and reduce the loss of productivity due to downtime.
State and Local Governments
Local, state and central governments maintain an enormous amount of personal data and records on their citizens, as well as confidential government information, making them frequent targets.
Yet, many government entities are challenged with insufficiently secured infrastructure, lack of threat awareness and competing funding and resource priorities. Better security helps government bodies provide reliable services to the public, maintain citizen-to-government communications, and protect sensitive information.
Recently, I was at a conference of IT managers for county and local governments in Texas. During a session focused on data security, it was shocking to learn that the managers came to a consensus that, because few applications outside of email were used, there was little need for network security. This misunderstanding of potential attacks through email was astounding.
As the digital landscape has become more complex, the responsibility for securing organizational data has spread beyond the traditional IT professional. While there are diverse security solutions, there are also more diverse and sophisticated security threats. This has resulted in the need to provide security awareness and training to everyone in the organization to use in and outside of work. Creating an atmosphere of security awareness in one’s personal life creates positive security habits in one’s professional life.