Although data breaches as a result of cyber-attacks get all the press, it is often negligence or a lack of basic processes, policies and procedures that result in data breaches.
The Government CIO Office compiles quarterly statistics about the main causes of reported data security incidents. In the last quarter, four of the five leading causes in cases where the ICO took action involved human errors and process failures:
- Loss or theft of paperwork – 91 incidents
- Data posted or faxed to incorrect recipient – 90 incidents
- Data sent by email to incorrect recipient – 33 incidents
- Insecure web page (including hacking) – 21 incidents
- Loss or theft of unencrypted device – 28 incidents
This is where staff security education comes in
Successful security awareness programmes provide more than just information. They need to be targeted, actionable and doable, and they must encourage employee feedback.
More key requirements of a successful security awareness programme:
- It must be designed specifically for the audience the organisation is trying to reach.
- Learners must have clear instructions on the next steps to take.
- It should focus on multiple exercises that emphasise many facets of security, not just one type.
- Learning take-aways must be simple and manageable enough to be adopted.
- There should be a follow-up process to gather feedback on employees’ experience of the engagement and what improvements can be made.
- Assessments must form part of the programme.
To develop an innovative, structured security awareness programme that delivers the desired change in employee behaviour, an organisation needs to cultivate a security culture. Security needs to be woven into the organisation’s DNA and upheld by everyone – from the cleaners right up to the CEO