Here are four simple steps to begin your employee-training program.
Step 1: Start at the top. A successful training program starts with support from senior leadership. Get buy-in by clarifying the business risks and consequences to the company of a data breach. Consider these statistics as you build support.
- Forty-nine percent of data breaches are caused by malicious or criminal attacks, and 19 percent are related to employee negligence, based on the 2015 Cost of Data Breach Study by the Ponemon Institute.
- The same study found that $217 is the average cost per lost or stolen record, and that typical breaches attack between 5,655 and 96,550 records
- Eighty-four percent of employees are using personal email to send sensitive files and more than 50 percent expose company files or data by uploading to a cloud-based service such as Dropbox or YouSendIt, according to this report from Ipswitch.
Step 2: Increase employee awareness. Educate your staff and train them how to handle confidential information, email safely and undertake security best practices, especially as increasingly sophisticated social engineering schemes develop new ways to acquire sensitive data. If employees don’t understand how criminals are working and how they can be targeted, they can’t be on the lookout for them.
- Train all employees – any one of them can become a target, not just those who are customer-facing.
- Make your employees part of the solution by emphasizing their role in protecting your company’s information and asking for their ideas to mitigate risk of a breach.
Step 3: Test the security savvy of your employees. If you can’t measure it, you can’t manage it. Start with understanding the level of your employees’ current security knowledge.
- Our Vice President of IT at Park Bank administers tests and works with a security firm to emulate phishing attacks on our employees. Administer this quiz to get a better understanding of your employees’ level of security knowledge.
- Consider working with an outside security firm to emulate phishing emails and other cyber attacks to develop employees’ ability to identify social engineering schemes.
Step 4: Follow up with employees on their test results. Constant reinforcement and affirmation of progress will encourage your employees to remain vigilant.
- If an employee clicks on a simulated phishing attempt, share the results with that person.
- If you administer a quiz, show every employee their results and how each compares with the average.
- If you’re interested, we’ll share the aggregate results of our quiz.
It takes 90 days to break a habit, and 90 days to form a new habit. A successful training program will take time, but with consistent attention, employees can be a powerful deterrent to a data breach within your company.
This is not a comprehensive guide and is for informational purposes only. Please consult your IT professional for guidance specific to your company.