Increased Risk Means We Need to Increase Training
Threats are constantly evolving and your training and testing must also evolve to counter these threats and keep your defense robust.
A cyberattack is a malicious and deliberate attempt by and individual or an organization to breach the information system of another individual or company, seeking benefit from the disruption, ransom, or theft of data.
This electronic threat is increasing in frequency and complexity and has become very expensive to remediate or to recover from.
Here’s the surprise – almost 90 percent of cyberattacks are caused or allowed by human error from the internal staff of the entity attacked.
This includes failure to follow security rules and protocols, sharing passwords, using weak or default settings, and falling victim to social engineering.
Even the large events such as the hacking at Equifax and Target, were caused by failure to follow the rules regarding administrative password settings, human error.
So whether your business is large or small, you need ongoing, strong training and testing to counter the threats.
Recent survey results of a survey of title insurance professionals by the American Land Title Association show a surprisingly small amount of agents are conducting ongoing staff training, and most do it once when they hire an employee.
This is a recipe for eventually becoming a victim of electronic fraud.
There are simple yet effective steps to take to counter the increasing threats by taking a strong defense, and it starts with regular training and testing to remove or reduce the human error element.
Here is what to do to put a training and test plan into action:
- Ensure new hires are introduced to and educated on information and data security policies and procedures as well as how to protect nonpublic personal information (NPI) and sensitive information. Emphasize to them the “why” so they fully understand the shared responsibility nature. This should be a core part of their orientation and on-boarding.
- Set and schedule ongoing training for all employees at every level commensurate with the size of the staff and complexity of your business. This should be monthly, quarterly or semiannually.
- At a minimum, cover controls over access (passwords; pass phrases; multi-factor authentication), network and data distribution (including never using non-secured networks for conducting business such as those in cafes/hotels/airports), phishing and spear-phishing, and never use a general email service like Yahoo or Gmail when sending NPI or sensitive information; social media and social engineering.
- Require security measures for smart devices (smart phones, and in particular Androids, account for a large percentage of data breaches).
- Explain the implications of data loss, which includes reputational hits and potential fines and penalties and law suits.
- Focus on all media forms – hardcopy as well as electronic – and include proper handling and protection from receipt through handling to secured destruction.
- Training may be done with internal documents or you may use a third party to conduct the training (i.e. Data Shield; KnowBe4).
- After the training, use a quiz to gauge how well your employees understood the material.
- Develop or use a third party to conduct ongoing, regular internal testing such as phishing or spear phishing testing (i.e. KnowBe4 is one vendor who can provide you this tool). Depending on the results, you may then make appropriate changes and re-focus your training to deal with any weak or weaker topics or areas.
- Provide a single point of contact the employee may turn to with questions or to report any suspected suspicious attempts to obtain information or data (electronic or by phone).
- Keep records of the training and attendees and testing results. This will be needed to demonstrate good faith, to meet many state requirements – and it’s a best practice.
Last, keep up-to-date on emerging threats and vulnerabilities and provide updated training to employees to be sure they understand new risks or new controls and why they are important; employees must know how to recognize and report threats to stay vigilant.
This will keep your training and testing current and fresh and serve as a continual reminder to your staff. Remember, this is a marathon, not a sprint. Threats are constantly evolving and your training and testing must also evolve to counter these threats and keep your defense robust.