Best Practices for In-House IT Security Training to Implement NOW

Security breaches headline the news with alarming frequency, making this issue a front-and-center strategic focus for every business. Data security makes the news with regularity, and customers have started to avoid relationships with companies with known security issues.

The Scope of the Problem

What is the scope of the internal security breach problem? According to SCMagazine.com, “…internal employees account for 43 percent of data loss, half of the time these leaks are accidental, a new study from Intel Security indicates.”

Last year, Lookout surveyed one thousand federal employees. Lookout’s findings, summarized in SCMagazine.com, construe a warning for C-Suite teams everywhere:

“37 percent said they are willing to sacrifice government security to use a personal device at work despite understanding security concerns, and 40 percent of those working at agencies with policies preventing the use of personal smartphones admitted the rules have little to no impact on their behavior.”

• Specifically, how do some internal breaches happen? Lookout’s results point us in that direction as well: “Lookout’s State of Federal BYOD report also found that 24 percent of employees install apps from places other than official app stores, and that 18 percent reported encountering malware on their devices.”

• What gets leaked? SCMagazine.com reports that “Customer information … is likely to be taken 34 percent of the time when outside actors break into databases. Comparatively, customer information is only affected 25 percent of the time when internal people are involved. Most of the time, insiders compromise employee information.”

The good news is: employee IT security training can dramatically reduce the risk of a breach, help your enterprise retain customers, and protect your bottom line. Training in IT security can both raise awareness and impart needed skills—preventive approaches that make great financial sense.

Prevention in this arena is an efficient and effective strategic response. Think of it as closing a potentially costly security loophole to protect your product or intellectual property, your customers, and your employee data—all of which are vulnerable in the absence of IT security training across your employee base.

Components of IT & Data Security Training:

E-mail 

Email is the pathway of choice for most security breaches. Best practice security training requires a detailed review of how to manage an in-box to avoid becoming another breach statistic.

How is the company vulnerable via email?

Verizon’s annual Data Breach Investigations Report of 2015, summarized here, takes a tongue-in-cheek approach to report a serious yet common issue: staff-related email breaches. Here are their findings:

• “D’oh!”: sensitive information sent to incorrect recipients made up 30 percent of the errors that led to a data breach
• “My bad!”: publishing non-public data to public web servers totaled 17 percent of error incidents
• “Oops!”: insecure disposal of personal and medical data comprised 12 percent of errors

Visualize sending an attachment with confidential data to the wrong email address. It’s easy to do. Most devices now “guess” at what the user intends to type: the device often starts to fill in the wrong email address, which may go unnoticed by an untrained or unaware employee whose speedy keyboarding skills often make it unnecessary to review their screens. Just ask Goldman Sachs whose breach was caused by sending out a confidential attachment to a “gmail” address instead of the company’s “gs” address.

Training should raise awareness to help employees avoid the common “reply all” error in which an employee may inadvertently compromise confidentiality by sharing data with the wrong people.

Training should discuss the fact that spammers and phishers are now more sophisticated. It once was easy to spot the marketing of outlandish personal products, for instance, as spam or phishing. Now, spammers and phishers try to pass themselves off as a utility company, or PayPal, or some other familiar entity—and spotting the fakes is trickier than ever. Train staff to avoid clicking on suspicious attachments. They may be downloading malicious malware onto the company’s server if they do.

Make sure your email training covers these points, too:

• Encryption—why it is useful when to use it, and how. Simply having an enterprise-wide encryption policy has been found to be insufficient.

• Texting vulnerabilities and safety measures.

Password Tips

Never pass up passwords in every IT training. Proficient password use is key to data security.

While we may have progressed from the time when 12345 or “password” were popular, we still have room for improvement in the choice of passwords due to the use of computers to guess at passwords. That’s why your company security training requires a component on password best practices—currently summarized in a post from Wired.com:

• “Don’t write them down, get a password manager, use two-factor authentication whenever possible, and don’t use anything that’s easily guessable.”

• Do aim for length (not complexity), “keep it weird” (not familiar), set special characters apart (not bunched up), use a unique password for each site, change passwords less often, and add in another layer of authentication.

• Do instill in employees the importance of never sharing their passwords with anyone.

Threat Identifications and Reactions

Your company security training would remain incomplete without covering online threats.

What threats are we talking about? Viruses (and the backdoor vulnerabilities that occur afterward), worms, and any other malicious software that can infect and disable one computer or an enterprise-wide system.

As with email phishing, threats can come from seemingly safe websites that mirror legitimate company sites (cross-site scripting). Only helping employees remain alert to the possibility of falling prey to these tricks and scams can protect your company from a breach.

Once your company training takes place, run random tests to see whether employees have learned not to fall for phishing or click on a fake link.

• One prevention tip: ensure that employees with administrative access never surf the web from those administrative accounts.

• Another tip: make sure your IT team looks for signs of a breached system. Why? Once a system is breached, it is critical to remove the threat rapidly to prevent data loss or a follow-up virus or worm.

Social Media

Especially when customers are involved, your training should include a component on avoiding threats from social media use. Without training, employees may not make the connection between their social media site use and the real potential of breaching the privacy of either customers or colleagues.

Other security tips

• Don’t allow employees to plug USB drives into a company computer unless they know and trust the source.

• Train employees to avoid leaving their company laptop or other device unprotected. Train staff to keep devices password-protected and safe from theft.

• Have a solid BYOD policy in place for mobile devices and train employees to avoid apps except those from trusted sources that are work-related.

Final Pointers

• Create a culture of data security across the enterprise from top to bottom. According to Betanews.com, “One of the best ways to reduce risk is to implement regular and comprehensive training programs for all employees on the right way to manage, store and destroy physical and digital data.”

• Access an excellent, informative IDG video here featuring the vice president at Experian Data Breach Resolution, Michael Bruemmer. It is an overview of internal security breaches and employee awareness. Bruemmer points out that employees often do not understand all the implications of data breaches. He also underscores the need to drill down to offer job-specific security training which includes a heightened understanding of the ramifications of breaches for each job function, from marketing to operations to finance and customer service.

• Bruemmer also recommends training your staff twice per year—one annual training is no longer effective. He cautions that every employee needs to undergo regular training, including members of the C-suite team.

• Bruemmer suggests a carrot and stick approach to encouraging employees to focus on implementing best practices IT/data security. Find ways to make it a social and fun experience, and attach consequences for ignoring best practice security approaches.

• Trained employees are valuable employees. As Rees Johnson, SVP and GM of the Content Security Business Unit at Intel Security, pointed out to SCMagazine.com, in the event of an incident or data breach, check to ensure that employees learned and understood how the breach occurred and how to prevent it in the future.

Tie National, LLC is a leading expert in the best practice, multi-faceted approach to data security. We are on your side to help secure your data, your customers, your products and intellectual property, and your company’s bottom line. Contact us and learn more about how we can help.