To truly protect themselves, every firm needs to make information security awareness and training an ongoing, proactive priority, instead of waiting for a cybersecurity problem to present itself.
By now, few if any business leaders need to be convinced of the importance of data protection and security awareness. It’s a topic that executives, managers and just about all other decision-makers are very familiar with – in theory, at least. In practice, many firms come up short in this area, as the endless series of widely reported data breaches continue to demonstrate.
“Firms shouldn’t wait for a cybersecurity problem to present itself.”
What accounts for this discrepancy? Writing for Forbes, Teradata’s Scott Gnau recently asserted that a big part of the problem is the fact that too many companies focus on data security awareness only after they experience a breach or other incident. To truly protect themselves, every firm needs to make information security awareness and training an ongoing, proactive priority, instead of waiting for a cybersecurity problem to present itself.
As Gnau noted, a lot of companies use data breaches as the catalyst to roll out broader, more effective cybersecurity-related policies, strategies and resources. While this is understandable to an extent, it is also far from ideal. The writer described this perpetual responsive stance as “futile, frustrating and costly.”
Instead, Gnau emphasized the value of a more proactive approach. This does not suggest, however, that this attitude will definitively protect a company from the threat of cyberattacks or inadvertent breaches. In reality, there is no way to achieve such a guaranteed level of safety. However, a proactive, around-the-clock strategy will drastically reduce the risk of such events occurring.
Minimizing the danger in this capacity can translate into tremendous value for the companies affected. While it’s true that there will be a cost associated with year-round information security awareness and training efforts, this expense is infinitesimal compared to the damage that a full-blown data breach will cause. Consider the recent reports of a worldwide ring of cyberattackers who managed to steal as much as $1 billion from a range of major financial institutions. This theft took the form of a large number of smaller incidents, many of which were only possible thanks to missteps and oversights on the part of employees. With more robust, engaged training and guidance, it is likely that the hackers would have had far more trouble, and far less success.
This raises the question of how, exactly, organizations can best approach and achieve ongoing security awareness.
A key component in any such effort should be training. Employees need to understand both why cybersecurity is so important and how their day-to-day responsibilities and habits intersect with this issue. Training can deliver this level of awareness. An effective, high-quality training program will deliver in-depth guidance, including best practices and strategies for avoiding common pitfalls. This is critical, as a large percentage of all corporate data breaches are preventable. In many of these cases, employees unknowingly engage in unsafe digital behavior which creates opportunities for hackers.
Critically, only ongoing, regular training sessions can ensure that employees retain the information necessary to avoid these missteps. A one-time lesson on cybersecurity best practices is simply not enough to affect worker behavior.