“The biggest issue is people. People get things wrong, and it’s really difficult to plan how they’ll get it wrong.”
50 – 88% of breaches are related to human error (depending on which survey you read).
Even at the lower end, with majority of these breaches being simply related to lack of awareness, understanding or thought around malicious activity. All the IT security controls in the world can’t stop people from being people and making honest mistakes.
Current State – Training & Awareness
IT, Cyber Security & Information Governance training should make up a core part of all end user’s training and awareness (on an annual basis). Many organisations cover IT well but fall short across Cyber Security and Information Governance/Data Protection. This is a sobering point, when 50%+ of breaches are a result of human error.
What we need to consider
- There are probably more “people” to consider than you think. We should be thinking about everyone… internal staff, external users, third parties and even the “bad guys”.
- If we fail to train and educate our own people, are they at fault for their mistakes?
- Do we have process and approach for when our people fail or make a mistake?
- Risk reduction is key for any business, people should be ranked high on that risk reduction list.
Training, Awareness & Personal Development
- Online Courses: They certainly, have a place, as baseline education tool. Cost effective and scalable, but often generic and rarely competency checked. We must question how much information is absorbed, let alone truly understood.
- Awareness Content: Communication on risks and best practices but can be lost in the day-to-day noise if just shared as an FYI. Rarely competency checked. Can be effective if tailored for specific organisation, end users and scenarios – but takes time.
- IT Team: Commonly trained at system and service levels, but time and resource bandwidth and/or funding to personally develop can be limited. “Defence” spending seen commonly, with a “train the bare minimum” mindset.
- Data Protection Team: We’ve found this group of individuals to be isolated in roles/departments, with little to no personal development time and resources. Majority driven to self-learn, in a hugely changing market.
How to enhance your Training & Awareness approach
1 – Develop Suitable Training & Awareness Plan: A simple approach that includes:
- Training that reflects their business risks and processes
- Training by role – Financial departments are typically at greater risk
- Introduce awareness campaigns
- Ensure staff can identify risks – phishing etc
- Tell staff when things go wrong.
2 – Personal Development: Ensure appropriate learning, training & awareness into key people, with industry qualifications & standards:
- IT Team
- Data Protection/Information Governance Team
- High risk teams – Finance, Legal & HR
3 – Revisit Your IT Security/Environment: Have you considered your IT Security approach from all user’s perspectives (internal, external, third party?)
- Segregation/Separation of duties
- Access Controls
- Change Control
- And all the technical controls we bang on about (MFA, Encryption etc)