Information security is viewed in some organizations as a function owned by a few individuals or one department. However, with human error continuing to remain the most prominent cause of data breaches, it is important to create a corporate culture that views information security as a shared responsibility among all employees.
A data breach can cause significant financial, legal and reputational damage to a business. When data protection is prioritized and done well, it provides more disciplined operations, increased customer and stakeholder trust, and minimized risk of fraud or a data breach. One of the best ways to reduce risk is to implement regular and comprehensive training programs for all employees.
Despite this, UK companies are not prioritizing employee training in their fight against fraud and data breaches, according to Shred-it’s 2016 Security Tracker UK Information Security Survey. As many as 87% of UK small business owners and over half (58%) of C-Suite executives say they only conduct employee training on their organization’s information security procedures once a year or less. Furthermore, 66% of UK small business owners and 13% of C-Suite executives report that they only provide this training on an ad hoc basis or never at all.
Experts suggest that employees may forget 50% of training information within one hour of a presentation, 70% within 24 hours and an average of 90% within a week. When you consider this, it is clear that training once a year or on an ad-hoc basis is insufficient to ensure that employees are clear on their responsibilities.
Proper training throughout the year gives employees the knowledge and skills to protect organizations from serious risks such as theft, fraud, data loss and reputational damage. This puts businesses in a better position to protect valuable customer, employee and business data. Furthermore, with the government currently considering laws that will hold company bosses liable if they do not stop their employees from committing fraud, it is more critical than ever that businesses educate their employees on information security.
The following measures can help ensure employees have a solid understanding of company information security policies and best practices.
1. Commit to a Culture of Information Security: When management demonstrates a commitment to information security, employees are more likely to follow suit. If managers behave in a way that undermines policies, employees won't take them seriously either. Consider asking employees to make a commitment to ensure their workplace becomes a more secure environment. Make sure this commitment is displayed visually in various locations throughout the office. To encourage participation from all areas of the business, consider appointing employees from a range of departments to participate on a committee focused on improving information security practices.
2. Repetition and Frequency is Key: These are the keys to a successful training program that builds knowledge in the right way to ensure that businesses are safely managing, storing and destroying physical and digital data. Training should occur throughout the year and include various modules on organizational information security policies. Consider a "multichannel" approach using a mix of in-person and digitally-delivered video training content to ensure employees are aware of how to handle and dispose of confidential information.
3. Out of Sight, Out of Mind: Place visual cues throughout the office to remind employees of their responsibilities in protecting confidential information. Reminder posters, such as this series of office security posters from Shred-it, can help employees identify common workplace errors and spot areas where data breaches are likely to occur.
4. Go Where Your Employees Are: A growing number of employees are now working outside of the traditional office environment. Ensure training addresses the safe destruction of confidential information for both office and remote workers. Also, ensure internal newsletters, intranet news feeds, employee and corporate social media accounts provide constant reminders about different aspects of information security that employees can access regardless of their location. Keep the information short to make it more digestible.
5. Embed it: Make security best practices a seamless part of daily tasks. Implement a ‘Shred-it all’ policy, which requires all documents to be destroyed once no longer needed and a ‘Clean Desk’ policy which encourages employees to clear their desks and lock documents in a filing cabinet or storage unit when they leave their workstation at the end of each day. When these policies become common practice, there is little decision left to employees on what should and shouldn't be destroyed.