Anyone familiar with ISO 27001 will know about the three pillars of information security: people, processes and technology.
The latter two tend to generate the most attention among managers, because they are the easiest to implement. All you need to do is find an appropriate solution (like anti-malware software or a Cloud services provider), make the purchase and set it up.
The people side of things, by contrast, is complex. Off-the-shelf staff awareness training solutions will help educate employees on many threats, but it requires constant vigilance from organisations to ensure that everyone is following the established guidance.
That’s something that organisations often fail to do, and as a result, human error is one of the biggest causes of data breaches.
The threat landscape
You might ask why, if employees play such a big role in information security, organisations overlook the ‘people’ aspect.
One reason concerns the way organisations perceive the threat landscape. When assessing the ways that breaches might occur, it’s easy to see human error as simply one vulnerability among a hoard of other threats related to cyber crime – system weaknesses, malware, denial of service, ransomware and so on.
Those multitude of threats appear to be things that technology is best equipped to defend against. As such, organisations top priority is often to invest in the likes of anti-malware solutions and vulnerability scans.
In reality, employees play a crucial role in defending against many of these threats.
Take ransomware for example: it’s one of the biggest cyber crime threats organisations face, with an estimated 152 million attacks in the first three quarters of 2019.
But these aren’t simply standard cyber attacks in which IT vulnerabilities are exploited. A Statista study found that 67% of ransomware attacks begin with phishing emails – i.e. seemingly legitimate messages that try to trick recipients into opening a malicious link or infected attachment.
Organisations can’t rely on spam filters to block these attacks, because cyber criminals are constantly findings ways to circumvent them. They must instead teach employees how to spot phishing emails and regularly remind them of these lessons.
What are the risks?
Phishing scams are just one of the ways that employees can be exploited – indeed, it’s only one tactic under the broader remit of social engineering, which describes the way people can be manipulated into performing tasks.
In a cyber security context, social engineering refers to cyber criminals persuading staff to give them access to sensitive information, such as login credentials or databases containing valuable company or personal data.
These methods can also be used to gain physical access to a secure location, something that a criminal might do to steal information or plant something malicious – like an infected USB stick.
It’s not only malicious actors that can misappropriate information or compromise systems, though. Negligent employees can easily lose documents or introduce vulnerabilities into the organisation if they’re not careful.
For example, they might leave files in a public place or visit a dodgy website that installs malware on a company device.
Another risk involves employees exposing sensitive data by failing to adhere to the company’s policies.
This often happens when staff misconfigure a database on the Cloud. In other words, they create a vulnerability – such as failing to password-protect it – meaning anyone who finds the database can access the information it contains.
Other examples are the failure to dispose of physical documents properly and sending information to the wrong person.
How to mitigate the risk
Although you can’t eradicate human error completely, there are steps you can take to manage those risks.
The most effective method is staff awareness training, which provides comprehensive coverage of a variety of essential topics.
The ease with which you can repeat courses makes e-learning ideal for new starters and for refreshing employees’ knowledge.
But this isn’t all you should be doing. Visual reminders – such as posters and email signatures – reinforce your company culture and serve as a reminder of your organisation’s commitment to information security.
The most important thing you must do, though, is to get employees to buy into information security in a personal way. It’s one thing to teach them about the concepts involved, but it’s another to explain exactly how these threats affect them.
By demonstrating the personal consequences of poor information security practices, you instil a level of accountability in employees, which will reduce the number of mistakes caused by negligence.
How to get started
Those looking to give their employees the perfect introduction to the threats they face might be interested in our Information Security and Cyber Security Staff Awareness E-Learning Course.
This interactive training course helps employees understand the importance of information security and compliance risks. It covers essential topics, such as email-based threats, malware and organisational policies to incident reporting and response.