If there is one lesson to be learned from the recent mass spate of security breaches, particularly those involving ransomware, it is this: adequate training for personnel can dramatically decrease the likelihood of a successful attack on a business. Unfortunately, as borne out by the recent attacks, businesses are continuously failing to adequately train their personnel. It is incomprehensible that businesses are overlooking this key component of their security programs. Yet they continue to do so.
Ongoing training about current and future security issues is just not on the radar screen of most companies. That has to change.
Effective security requires a unified approach. Appropriate technology and well-written policies are critical. But, they cannot provide the entire solution. Recent studies have shown that it is the human element that is at the heart of most security incidents. Just last year, Verizon reported that the human element continues to be the weakest link in information security. They cite recent examples of breaches in the healthcare industry as highlighting the need for better training. This should not come as news to anyone involved in the information security industry. In my experience, it is the failure to provide employees with appropriate and ongoing training that creates conditions ripe for a security incident.
On the other hand, businesses willingly spend thousands of dollars purchasing and deploying sophisticated information security technology. They spend similar amounts developing security policies, information-handling requirements and related documentation. But, when it comes to personnel training, we see a minimal attempt to provide basic training at the time of hire and just a lunch-room poster or two aimed at “security awareness.” Such an approach is grossly inadequate. This is not to say some businesses aren’t on top of the training issue, but many clearly fall short.
Top cybersecurity training tips and best practices:
- Inform personnel about exactly what your data is and where it is located. Train them on how to securely create, access and destroy data.
- Regularly review abnormal technology behavior and encourage personnel to report concerns/ask questions.
- Don’t allow personnel to download or install unauthorized/unapproved software or applications, including encryption software, remote-access, backup or other similar software.
- Ensure personnel understand that no public email or messaging service is secure. For example, avoid sending sensitive information through unsecured email, texts, social media or other communications, and don’t allow them to forward internal email and documents to a personal email address or download to personal devices. Be cautious of emails and PDFs that appear suspicious.
- Teach them the ways of the internet, such as ensuring a website’s address begins with “https” (not “http”) before submitting information through it, and reiterating that there is no “delete” on the internet – the internet is forever.
- Tell personnel to beware of requests from smartphone applications to access personal data, which can be used for analyzation and sold to others. Ensure they are mindful of backup applications that consistently run on personal devices, which can make copies of sensitive information and store them online.
- Never allow a third party to use a workstation or access your systems and data without supervision and appropriate contractual protections. For example, consider removing encrypted data on a personal device before allowing the third party to access it. Securely remove data from a device if you are selling or disposing of it.
Proper training of personnel has several advantages. Foremost among them are the reduction of incidents and the ability of the company to demonstrate it has acted diligently to protect its information and, if applicable, the information of its customers. This last point bears a further comment.
In the event of a compromise of security, one of the key questions courts and regulators, such as the Federal Trade Commission, will ask is, “Did the business do what is reasonable under the circumstances to secure its information?” We all know it is generally impossible to secure information. Breaches of even the most secure systems can occur. Just ask the National Security Agency and the U.S. Department of Defense.
The question, however, is whether the business that has experienced a breach did everything that was reasonable under the circumstances to prevent the breach. Obviously, what is “reasonable” will change over time. But, the constants are (1) appropriate technology, (2) relevant policies and (3) proper education of personnel. Businesses that address the first two constants but not the last are opening themselves up to potential claims they failed to act reasonably in protecting their information.
To many businesses, the idea of ongoing training about current and future security issues is just not on their radar screen. This must change. Money must be allocated to ensure this single greatest source of security compromises is addressed. I have seen this work in businesses that have implemented more rigorous training for their personnel. They have been able to achieve far greater security and have significantly fewer incidents. Other businesses should follow suit.
**Note** Originally published on CSO Online by Michael R. Overly. See original article here.
Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law. Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices.
Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.
In 2010 – 2015, The Legal 500 recognized Mr. Overly for his information technology work in the U.S. In 2005, he was selected for inclusion in the Southern California Super Lawyers® list and also was honored by Los Angeles Magazine for this recognition. In addition, Mr. Overly was recognized by Chambers USA for his IT & outsourcing work (2013 – 2016).
Mr. Overly is a graduate of Loyola Law School (J.D., 1989), where he was articles editor of the Loyola Law Review and elected to Order of the Coif, and Texas A&M University (M.S., electrical engineering, 1984; B.S., 1982). He was admitted to the California Bar in 1989.
Mr. Overly is chair of the Legal Working Group for the Cloud Standards Customer Council, an end user advocacy group dedicated to accelerating cloud’s successful adoption, and drilling down into the standards, security and interoperability issues surrounding the transition to the cloud. He is also a member of the Computer Security Institute, the Information Systems Security Association, the Computer Law Association, and the International Technology Law Association.
Mr. Overly’s numerous articles and books have been published in the United States, Europe, Korea, and Japan. He has been interviewed by a wide variety of print and broadcast media (e.g., the New York Times, Los Angeles Times, Business 2.0, Newsweek, ABCNEWS.com, CNN, and MSNBC) as a nationally recognized expert on technology and security related matters. In addition to conducting seminars in the United States, Norway, Japan, and Malaysia, Mr. Overly has testified before the U.S. Congress regarding online issues.
- A Guide to IT Contracting: Checklists, Tools and Techniques (CRC Press; December 2012)
- The Executive MBA in Information Security (CRC Press 2009)
- Negotiating Telecommunication Agreements Line-by-Line (Aspatore Press 2005)
- Software Agreements Line-by-Line (Aspatore Press 2004)
- The Open Source Handbook (Pike & Fisher 2003)
- Overly on Electronic Evidence (West Publishing 1998)
- E-Policy: How to Develop Computer, E-Mail, and Internet Guidelines to Protect Your Company and Its Assets (American Management Association 1998)
- Document Retention in The Electronic Workplace (Pike & Fisher 2001)
[Disclaimer: The information on this blog or article is provided without any warranty or guarantee, does not provide legal advice to the reader, and does not create an attorney-client relationship with the reader. Any opinions expressed in this blog or article are those only of the author and do not necessarily reflect the views of the author’s law firm or any of the author’s or the law firm’s clients. In some jurisdictions, the contents of this blog or article may be considered Attorney Advertising.]