Outsourcing Security Doesn’t Mean Your Job Is Done
In a previous post, we discussed the growing danger and complexity of security threats and why outsourcing security has become a business necessity, especially for resource-strapped and budget-conscious small-to-midsize businesses (SMBs). However, outsourcing security doesn’t absolve the organization or its employees of all security-related responsibilities.
Just how bad has it gotten? According to Check Point’s 2015 Security Report, the average number of malware attacks increased from 2.2 per hour in 2013 to 106 per hour in 2014. Insider threats are on the rise as the emergence of bring-your-own-device (BYOD) policies and risky shadow IT applications provide more ways for current and former employees to access the network. Mobility is a major challenge as 42 percent of companies were victims of mobile-related breaches that cost more than $250,000 on average to address.
Of course, the weakest link in the security chain continues to be human beings. The use of email phishing scams and social engineering – a method in which hackers interact with employees to break through security and carry out cyberattacks – are expanding. As sophisticated as today’s cybercriminals are, they just want access to data, and the easiest way to gain access is through employees, not advanced security software. According to the BakerHostetler Data Security Incident Response Report 2015, the top cause of IT security incidents was employee negligence.
The increased targeting of employees underscores the need for security awareness training. Uneducated, untrained employees make the hacker’s job easy. Too many people take a “share everything,” social media mentality to the workplace, connect with people they don’t know, fail to log out of their accounts, and give their passwords to others without considering the consequences.
Formal training and documented policies, and enforcement of these policies, are essential to not only improving network security, but also ensuring regulatory compliance. All too often, security and compliance are assumed to be the responsibility of a select few. However, individual employees who violate compliance regulations due to carelessness or ignorance can bring heavy penalties on their employers while potentially compromising the private information of their customers.
A security awareness program should include both general best practices and the specific responsibilities of individual employees. In addition to increasing understanding of phishing and other hacking methods, organizations should establish procedures for reporting a suspected breach to minimize its impact. Security should be covered in training for new employees and in ongoing refresher training for all employees. In fact, security awareness programs are now required by the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and other regulatory standards.
The biggest problem with most security awareness programs is the absence of clear goals. What behaviors need to change? What is each employee’s role? What is the penalty for violating the company policy, and how will this improve security? Many programs also tend to focus on certain topics even though they haven’t assessed the risk related to those topics. Organizations need to better understand the true problem, and how employees typically encounter these problems, in order to maximize the effectiveness of their security awareness programs.
Security is an all-hands-on-deck, round-the-clock process, even when security is outsourced. Every employee needs to be vigilant, and every organization needs to provide its employees with the necessary training to prevent a breach.