By Ryan Rubin, Managing Director, Protiviti UK

You would have thought that, given the number and seriousness of information and data security breaches, organisations would be in a better position to protect sensitive information and the numerous devices this data is now stored on or accessible from. Sadly, this is still not the case. Too many companies continue to get breached — regularly losing intellectual property or customer data. Furthermore, organisations are taking too long to notice that a breach has occurred, often finding out in a magnitude of months later that a breach occurred, leaving little time to respond effectively and notify key stakeholders.
Security attacks have shifted focus from solely targeting computer systems to targeting the people that have access to the information attackers want to obtain.

Much to the chagrin of IT and risk professionals trying their best to train, inform and instil in their employees something approaching ‘best practice’, many employees remain largely unaware of the significant consequences of a data breach.

What many people do not understand is just how damaging a breach can be, not just in terms of reputation but also financial. Contractors that lose client information, for instance, can be faced with high liability implications. And while levels of security information training have increased in the UK, Protiviti has observed that much of the training does not effectively convey these consequences — it is only when a breach happens that the true reality dawns on people.

In our opinion, despite increased levels of training at both financial services and non-financial businesses, the training is too basic, simply a box ticking exercise, or worse, giving them a false sense of security. Key information security messages are still not getting through to significant numbers of employees, and that good information security practices are still not part of the risk culture at many UK businesses.

It is important not to overtly disparage current information security awareness training. Many firms have excellent processes in place.
More needs to be done, however. Information security training needs to be more focused on employees’ roles and the consequences of information security breaches and less on the basic mechanics of security. For training to be effective, it needs to be tailored to the roles of employees, and many organisations need to review both the nature and frequency of their training. Reporting security breaches and ‘near breaches’ is one good way to help improve security awareness. The following points are particularly important for businesses:

1. Create a strong foundation. Develop training programmes with shorter lifecycles — three months rather than three years. Make sure training is focused on individuals, has feedback from recent incidents (and near misses) and is tailored towards consequences not rules. Training needs to be regular and refreshed (agile to security threats).

2. Organisational buy-in. Make sure all stakeholders are involved and engaged and buy-into the training being provided.

3. Participative-based learning. Get people involved in the training through gaming and/ or other techniques that involve actions/ activities rather than just one way feedback. E.g. simulate a phishing attack and see whether people fall for it.

4. Be creative. Apply a variety of techniques (e.g. guerrilla marketing) to have impact. Training should not be superficial in nature, but be seen to have long lasting effects — gimmicks like mugs/ mouse pads apparently don’t work.

5. Metrics and measurements. Measure the progress and success of a programme — are passwords now stronger, how many laptops were lost and reported this month, do we see a reduction in computer viruses on peoples computers, etc.

6. Partner with others. Bring together teams from different disciplines, such as marketing, HR and IT departments. New iPads issued result in additional awareness and make sure that any new applications rolled out include additional security training of those applications.

7. Be an enabler to the business. Train through enabling people to do things more securely rather than being the policeman saying “no!”.

By Ryan Rubin, Managing Director, Protiviti UK