With fines of up to £500,000 for a serious breach of the Data Protection Act, organisations face serious consequences for not adequately protecting customers’ data. However, the frequency of data breaches is increasing, with 90% of large organisations and 74% of small businesses suffering some form of data breach last year.
Inadequate employee data security training and compliance policies has been a major factor in numerous security breaches. One example involved an employee at a healthcare trust losing an unencrypted USB drive containing sensitive information from several hundred patients. He had taken the memory stick out of the office to work from home. In an online post, the chief executive officer of the trust said the incident occurred because the employee wasn’t adequately trained.
The fact the information was decoded is concerning but what’s even more worrisome is that the executive knew the employee lacked data security training.
Workplaces are still struggling with a lack of security awareness and business information security, according to recent findings by Beazley, a breach response insurance company. After analysing more than 1,500 data breaches that occurred in 2013 and 2014, it found that the two most common sources of data breaches were ‘unintended disclosures’ such as misdirected emails and faxes (31%) and the ‘physical loss of paper records’ (24%).
Furthermore, the 2015 Ponemon Cost of a Data Breach Study showed that almost one third of data breach incidents are caused by negligent employees or contractors.
Here are 6 aspects of security awareness training that every size organisation needs to know:
- The biggest driver of data security training is to improve the overall level of data security, according to Ponemon’s The State of Information Security Awareness: Trends & Developments.
- Regular – not one-off – training ensures that employees stay on top of data security best practices. Shred-it’s 5th Annual Security Tracker Survey showed that in the UK only 36% of organisations hold regular training sessions with 9% of C-Suite executives reporting that employees are never trained, or only on an ad hoc basis. The majority (67%) of small businesses say they either don’t train their employees or they do so only on an ad hoc basis.
- Training must address risky work habits. Losing laptops and other mobile devices is common - lost laptops caused 9,000 security incidents and 116 confirmed data breaches in one year alone. Mishandling data, sharing and reusing passwords, and handling unencrypted sensitive data are also risks.
- Office security policy awareness reminders in the workplace are useful; for example posters on walls and screen-saver reminders.
- Target the mobile workforce with specific training. For example, use privacy screens, carry only necessary sensitive information, and always connect to the internet through a secure wireless network.
- Implement business information security policies and procedures that support security awareness in the workplace. For example, a Clean Desk Policy is recommended; also partner with a paper shredding services provider and replace recycling bins with locked storage consoles. Introduce a shred-it all policy so that all documents that are no longer needed are securely destroyed before being recycled.
Ready to take the first step toward protecting your information? Find out how secure shredding services keep your data secure.