Don’t let employee training fall to the side of data security. 

By: David Page
Security Analyst
QSA
When it comes to data security, many businesses tend to think of things like locks, firewalls, and the latest technology to protect their sensitive data. But they often overlook their biggest vulnerability: employees.

Now, I’m not saying employees are bad; they’re just human, and humans make mistakes. Unfortunately, many hackers will take advantage of human error to gain access to your data.  You need to spend just as much time and money on your employees as you do on secure technology.
Many data breaches happen as a result of a well-meaning employee doing something to make your business vulnerable, whether it’s clicking on a phishing email that downloads malware, giving out sensitive information to someone they shouldn’t, or not being diligent in protecting their passwords.  Most of these cases aren’t even intentional or malicious.

Why is training important?

A question a business may have is why should employee training matter so much? After all, a business just has to have a firewall and security policies in place and they should be good, right?

Wrong.

Your security policies are useless if your employees aren’t aware of them. For example, you may have a policy on what to do if you suspect a data breach. But if your employees aren’t trained in what they should do in that situation, they will likely make an error or waste time in reporting it to the right people, potentially causing your business more damage.

Another problem is social engineering, which is rapidly becoming a big threat against businesses of all types and sizes. The problem with social engineering is that it targets your employees specifically.  If your employees aren’t trained to recognize social engineering tactics, you could be vulnerable to a data breach.

Finally, you and your employees should care about data security and maintaining compliance with PCI, HIPAA, and other industry data security standards. You need to instill a sense of urgency in your employees when it comes to data security. Sometimes they’re all that stands between your business and a damaging data breach.

Who should be trained in data security?

It’s important to train all of your employees on basic data security best-practices.
It’s critical that employees with access to sensitive data know how to protect it.
Things like email phishing scams and social engineering can affect anyone in your business from the top executive to the janitor. Make sure all of your employees are briefed on policies involving basic physical and data security.

What should employees be trained on?

It’s good to make a list of policies employees should be made aware of and be trained on. Some policies may include:
Basically, if you have a policy about security that involves your employees, your employees should know about it.

Tips for training employees

Holding yearly meetings doesn’t really do it anymore—your employees need a constant reminder to prioritize data security in their daily activities. They will also absorb more information if they receive training more often. Here are some tips to get your employees ready.
  • Set monthly training meetings: focus each month on a different aspect of data security, such as passwords, social engineering, email phishing, etc
  • Give frequent reminders: these could be sent out in an email or newsletter that includes tips for employees
  • Train employees on new policies ASAP: also, newly hired employees should be trained on policies as quickly as possible
  • Make training materials easily available: Intranet sites are a great way to provide access to training and policy information
  • Create incentives: reward your employees for being proactive

Watch out for your employees

It’s important to make sure your employees understand how critical their role is in keeping your business’s data secure. Training employees should be a top priority in your overall data security strategy. After all, your employees are the ones standing between your data and the bad guys. Shouldn’t you make sure they know what to do?

Need help finding resources for employee training? Talk to us!

David Page is a Qualified Security Assessor and has been working at SecurityMetrics for 2 and a half years. He has over 18 years experience in network and system engineering, design, and security.

0 comments