People are the weakest connection in information security. This overly statedand simplistic truth may sound like a buzzword, but a brief glance at incident history, like the famous Target event, as well as the more recent major Wanna Cry attack, would reveal that even with the latest infrastructure in place, if the human element is not taken care at, the rate of vulnerability to attacks, and resulting effects, are much higher than what one may find appropriate.
That is where a major role is played by information security training in organisations. There are two ways to strengthen the weakest link: Conditioning and awareness. Although both work with behavioral modification, conditioning will in most situations be seen as a simpler solution, and most organizations should be satisfied with it, because it does not involve user comprehension, rather than being consistently praised for following a series of strict rules or discouraged for not doing so.
On the other hand, awareness requires knowledge, being aware of why the laws exist, and continuing to follow them on not just the basis of a system of punishment/reward. Instead, your people will comprehend why the security of information is a vital element of a company, how the negative effects of occurrences are, and what is required of them.It is crucial to understand that the main objective of security awareness at the end of the day is to provide a higher level of protection by ensuring that all employees are understanding basic security controls,well aware of internal policies, and understand how to report incidents of security.
Apart from the obvious advantages, not having awareness plans in place is not an option in some cases, as several simple regulations and laws require formal effective information security program, for example:
Federal Information Security Management Act:FISMA, 4 U.S.C. §3544 includes ‘management training of the security to educate personnel, including vendors and all users of information systems that sustain the agency’s functions and facilities,’ including ensuring that users recognize the information security threats involved with their actions, their obligations in compliance with department policy, and protocols intended to minimize those risks.
Health Insurance Portability and Accountability Act: HIPAA Security Rule 45 CFR describes, among its training criteria, as a prerequisite for “implementing a security training and awareness system for all members of the workforce (comprising management),” implying that each new workforce participant will undergo security awareness training within a fair period of time after recruiting, including regular security upgrades, password management,and protection from malicious software.
State regulations: State laws regulations also apply, such as the 201 CMR 17.00 Massachusetts requirements for preserving the personal details of Commonwealth residents. It needs regular training of workers (including temporary and contract staff) for compliance with policies and procedures and correct use of the electronic security program and the value of protection of personal information. Another model is Nevada Data Privacy Encryption for Personal Information Law NRS 603A, as one of the soonest state laws regarding the matter, since January 2010, the data security law of Nevada commands encryption for clients’ transported and stored individual data.
Data Security Standard for Payment Card Industry (PCI-DSS): The PCI Standard is enforced by the card manufacturers and implemented by the Payment Card Industry Safety Standards Council, not necessarily a regulation but a voluntary information management framework for companies that carry licensed credit cards from the big payment schemes. Control 12.6 includes a structured security awareness system to teach all employees about the value of the data security for the cardholder. This makes PCI developer training a necessity to ensure the business can offer online payments and utilize e-commerce.
Controlling risks with security awareness
Technology can’t prevent or track those security events. Social engineering is one basic example. The art of controlling individuals does not involve the use of technology and can be implemented to capture information over a telephone call (e.g. classified records, passwords) or even on-site with direct entry to restricted areas.Unfortunately, there are few to zero security safeguards that can be used to stop this kind of assault, and the only realistic alternative is to make the customers aware of the risks and how they can be handled.
Another model of a data security danger that can’t be managed by specialized controls is spoken data. Ordinarily, your users may talk about organization data, even important information, in places where they can be caught by an unauthorized outsider. This may occur inside the organization’s physical perimeter, but additionally out in the public spots. Again, the best way to prevent this is by having your clients staying alert that talking about restricted data in a spot that is not secure can have extreme results for the organization.
It is crucial to recognize that security knowledge is necessary to strengthen every security-related issue with the employees. Not only organizational users, but even executives are a tempting target for cybercriminals who would take every chance to steal your records, threaten your business, or some other strategy that could make a profit.Things including the social engineering (with or without the utilization of emerging technologies), phishing or spear-phishing, appropriate use of knowledge, protected data disposal methods, accident detection, data security, password control, and data safety (both digital and physical formats) are important topics for every training plan, which can help you avoid significant accidents.
It is necessary for any organization to invest in security awareness training
By 2016, IBM’s data breach cost study for the USA reported an annual 7 percent rise in overall data breach costs. Any businesses that are hit by serious security breaches not only lose customers ‘ confidence but may end up losing the entire company after a big data breach.
Security awareness was pointed out as one of the main reasons that reduced data breach costs. This is truly a simple problem of figures: The average incident of leakage includes about 29,611 recordsand all showing a $221.00 cost per record. This means a $6,544,031.00 potential damage during a case. With a small amount of that sum, any organization can make a strong awareness program for training.CompTIA Security+ certification is one of the suitable training for information security.
