How to Improve Security Awareness in Your Company

By Joseph Kirkpatrick

President

Kirkpatrick Price

March 24, 2021

Story

How to Improve Security Awareness in Your Company

It’s estimated that 2020’s global losses from cybercrime will total over $1 trillion.

That’s double 2018’s losses, and for comparison, bigger than the GDP of 90% of the world’s nations. Many of the losses were incurred during massive security incidents at multinational giants, but the outlook isn’t great for the average business either. 

The global average cost of a data breach is $3.96 million, and it’s even higher for U.S. businesses at $8.64 million. The high ROI of online crime is hugely motivating to bad actors, which is one reason your business needs to take information security awareness seriously. 

Almost half of all security breaches are caused by human error, employees, or insiders, according to Shred-It’s 2019 Data Protection Report. Many of those breaches could have been avoided. Increasing security awareness is one of the most effective ways to reduce security vulnerabilities that criminals rely on to breach networks and steal data. 

Security awareness is even more important in the era of COVID-19. The pandemic has forced many employees out of the controlled environment of the office. They are working from their living rooms and bedrooms, often using devices that are not under the control of your IT department while connecting from potentially insecure networks. 

What is the importance of security awareness?

Security awareness is the level of understanding employees exhibit about the security threats that face an organization. It includes comprehension of both threats and the measures that can be taken to counter them, particularly the part they as individuals play in creating and mitigating potential security risks. 

The primary importance of cybersecurity awareness is threat reduction. Employees and executives have privileged access to sensitive data, and it’s vital that they understand how and why that puts them in a vulnerable position. 

Additionally, many certifications and regulatory frameworks require that employees are trained to increase their security awareness, including PCI-DSS, HIPAA, and SOC 2. 

Information Security Threats Facing Your Business

Before we look at how businesses can improve employee and executive security awareness, let’s consider some of the threats that businesses across the U.S. face daily. 

  • Phishing attacks are one of the most common attacks against businesses. Attackers spoof email or instant messaging identities to trick employees into handing over sensitive data such as credit card numbers or authentication credentials. 

  • Ransomware attacks use malware to encrypt data and demand a ransom in exchange for the decryption keys. 

  • CEO/Executive fraud attacks impersonate senior executives’ email or social media accounts to trick employees into transferring money or sensitive data to the attacker. 

  • Insider attacks are a breach of trust by an employee or executive, who leaks sensitive data to an unauthorized third party or deliberately exposes the organization to the risk of other types of attack. 

  • Misconfiguration of software and hardware is among the most common vulnerabilities. Misconfigured or outdated software is frequently used as an attack vector to gain access to sensitive devices and networks. 

The risk posed by these security threats can be largely mitigated by increased security awareness and a security-friendly company culture. 

How Can Security Awareness Be Improved?

Improving security awareness should be a priority for businesses that handle sensitive data, especially if that data falls under regulatory standards such as PCI-DSS and HIPAA. 

Security Awareness Training

An organization’s security is not just the responsibility of its security and IT teams. Every executive and employee should have a role to play. However, the average level of security awareness in the general population is quite low, even among technical employees. 

It’s vital to provide training that gives employees the knowledge and tools they need to recognize and react appropriately to threats. A one-size-fits-all approach to security awareness training is ineffective. Security training should be relevant to the employee, their role, and their existing knowledge level. 

Security Risk Analysis

Although businesses face a broad spectrum of threats that are in many ways universal, they must also be aware of the specific threats and vulnerabilities that arise from their technology choices, operational processes, and hiring practices. Each of these factors can also interact with regulatory frameworks to create a unique set of security challenges and potential threats.

Security awareness training should be tailored to each business’s security challenges while embracing the need to give employees and executives a broad understanding of the spectrum of potential threats and vulnerabilities. 

Security Testing

Security testing helps businesses to identify potential security vulnerabilities. The knowledge gained during testing can be used to mitigate vulnerabilities and to inform security awareness training programs. 

For example, simulated phishing attacks are often used to identify vulnerable executives and employees who could benefit from targeted training. Penetration testing, also known as pen testing or ethical hacking, can also be employed to highlight specific areas of vulnerability to be addressed by training. 

Make Security and Privacy a Priority

Organizations have competing priorities, and security and privacy may lose out to other operational and financial considerations. When security is a low priority,  organizations provide minimal or non-existent security budgets, foster a lack of interest from executives, and exhibit an unwillingness to focus on security and privacy when implementing software and business processes. 

If employees don’t feel that their management prioritizes information security, they are unlikely to pay sufficient attention to potential risks. 

Security awareness training is a way businesses can emphasize security’s importance, but it is also important that someone within organizations and teams has overall responsibility for monitoring and enforcing security policies. 

Foster a Security-Friendly Culture

Security awareness goes hand-in-hand with a culture that rewards employees for reporting security problems and works with them to improve their awareness. A negative attitude to security can discourage the reporting and mitigation of security issues. 

To foster a positive security culture:

  • Consider security mistakes to be training opportunities rather than opportunities for shaming or punishment. 
  • Encourage and reward employees who report potential vulnerabilities. 
  • Cultivate a climate of cooperation so that employees are confident that everyone in the company is working towards common security goals. 

Excessive secrecy around security and harsh treatment of employees who make security errors can breed a climate of fear that discourages open discussion of security issues. 

Security awareness is a vital component of security, privacy, and regulatory compliance. Security awareness training, a security-friendly culture, and technological approaches such as pen-testing, help businesses to mitigate risks and avoid damaging breaches.

For more information, visit  kirkpatrickprice.com.

Joseph Kirkpatrick is the President of Kirkpatrick Price. Kirkpatrick Price is a licensed CPA firm, PCI QSA, and HITRUST CSF Assessor, and most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, GDPR, ISO 27001, FISMA, and penetration testing. For more information, visit kirkpatrickprice.com.

More from Joseph