In 2014 alone, over 348 million identities were exposed through data breaches. On average, a data breach costs an organization $6.5 million dollars, up 11% from last year. In many companies, the responsibility for responding to this threat belongs to the Chief Technology Officer or Chief Security Officer — as it should. An unintended consequence of this arrangement, however, is that one effective and easily implemented solution is often overlooked: data security training for employees.
Data security training can live in the gray area between departments. While Chief Technical Officers (CTOs) are closely involved in selecting and implementing technical solutions to secure a company’s data, they often balk at the idea of introducing cyber security training. “Training isn’t our responsibility. It’s Human Resources’.” But here’s the thing…it is a CTO’s responsibility. Employee training complements software and hardware solutions to create a comprehensive data security program that addresses both the human and technical dimensions of data security.
Even if training falls under Human Resources (HR), Chief Technical Officers need to involve themselves in the decision. CTOs can help HR select the right data security training for the organization, and more importantly they can be a powerful advocate for the program, bringing their expertise to bear on the problem.
Still not convinced? Here are five reasons CTOs need to champion cyber security training at their organizations.
1.) Many Data Breaches Are Caused by Human Error
Though malicious attacks grab the headlines, a growing number of data breaches are the result of human error — whether careless mistakes or poor decisions. For example, according to a survey of 709 IT and IT security practitioners, external cyber attacks accounted for only 8% of data breaches; whereas, 35% of data breaches were caused by employees’ loss of laptops or other devices, 27% were caused by mishandling data at rest (stored data), and another 23% were caused by mishandling data in motion (data being transferred between locations).
In other words, people not technology remain the greatest vulnerability in an organization’s data security program.
2.) Hackers Are Increasingly Targeting Users
It’s not just that data breaches are caused by human error. There’s evidence that criminals are now targeting users more aggressively. In 2015, Cisco reported that “attackers have increasingly shifted their focus from seeking to compromise servers and operating systems to seeking to exploit users at the browser and email level.”
After all it’s often easier for criminals to trick a person into granting them access to a company’s network than to hack the network itself. In her testimony before Congress’s on the Expanding Cyber Threat, Cheri McGuire, Symantec’s Vice President of Global Government Affairs and Cybersecurity Policy, explained that “most attacks rely on social engineering — in the simplest of terms, trying to trick people into doing something that they would never do if fully cognizant of their actions.”
And here lies the irony of CTOs who aren’t involved in data security training. By doing their job effectively and preventing hackers from exploiting software and hardware vulnerabilities, CTOs are only making it more worthwhile for hackers to target employees directly.
This is why technical and human solutions to data security should be implemented side-by-side. Otherwise the organization will only succeed in refocusing hackers efforts from technical exploits to human vulnerabilities.
3.) Phishing Scams Are Getting Harder to Spot
Criminals are getting better at spoofing websites and crafting persuasive phishing emails that lure victims into volunteering sensitive information like their login credentials to your company’s networks.
In 2015, Cisco reported that “spear-phishing messages, a staple of online criminals for years, have evolved to the point where even experienced end users have a hard time spotting faked messages among their authentic emails.” Users may not be expecting other vectors of attack. For instance, Cisco also found that online advertisements are 182 times more likely to deliver malicious content than pornography.
Sophisticated scams mean that commonsense isn’t enough to protect employees anymore. They need training to teach them to recognize the more subtle forms of persuasion.
Sophisticated scams also mean that filters can’t be relied on to detect phishing emails or even spam. Once they have an effective message, spammers change their messages just enough to avoid a CTO’s filters, leaving the judgment of employees as the last line of defense.
4.) Younger Employees May Be Less Sensitive to Security Issues
Millennials are now the largest living generation in the United States. This fact may reassure some CTOs, since Millennials are also supposed to be the most tech-savvy generation. Many Millennials grew up with computers in their pockets. But technical literacy doesn’t necessarily translate into safe decisions about how to handle data.
In fact, surveys have found that Millennials may engage in more risky behavior when it comes to data security. In a recent survey, 15% of Millennials said they were “very likely” and 41% said they were “moderately likely” to find ways around restrictive security controls. One writer has even dubbed them “generation leaky.”
Some experts argue that Millennials see a trade off between efficiency and security, and when push comes to shove, they choose efficiency. Similarly, having grown up with quick and easy access to data, Millennials may continue to expect that level of access at work even when it’s inappropriate.
For example, referencing a new study, Sarah Green Carmichael, a senior editor at Harvard Business review, noted that “the primary reason Millennials cited for not seeking company approval before downloading a new cloud app was that the IT department simply takes too long.”
This claim isn’t meant to insult Millennials, but rather to illustrate that while younger generations may be the most technically savvy, like everyone else, they need to be trained on data security.
5.) Small Reductions Have a Big Effect
Maybe the best reason to consider training your employees is that it can have an outsized impact. Gary McGraw, a well-known software security expert, argues that reducing the number of employees clicking on phishing links by just a few percentage points translates into disproportionately fewer problems. In other words, a small reduction in employee errors across an entire organization adds up to far fewer incidents that a CTO has to handle, ultimately saving them time and money.
Ed Moyle, the Director of Emerging Business and Technology for ISACA, explains this principle in data security management with an analogy to blackjack: “Play blackjack in a casino with the perfect strategy, and the house is favored by less than 0.5 percent. Count cards, though, and you are favored by about 1 percent. In this case, this spread — a total of less than 2 percent — quite literally means the difference between a multibillion-dollar revenue stream for the casino and a threat considered so dangerous that you are barred from setting foot inside if you are caught.”
Data security training helps put the odds in your favor, and even a small shift can reap huge rewards for CTOs and the entire organization.
Yes, you need to invest in other solutions too, but it shouldn’t be an either/or proposition. Data security training, good policies, and technical solutions work together to create a comprehensive cyber security program.
Learn more about LawRoom’s Online Data Security training.
Or read our whitepaper on what makes an effective data security training.
Post originally published via LawRoom.com.