When most organizations are developing their information security policies, there’s great emphasis on firming up IT systems to make it harder for security breaches to occur. Technical controls certainly play an indispensable role in ensuring data and system security. It would be imprudent and costly for any organization to disregard applying such best practice mechanisms. The problem, though, is that many businesses ascribe excessive significance to technological safeguards. They thereby end up neglecting nontechnical controls that are just as important. In particular, companies often do not give sufficient weight to InfoSec awareness. Unfortunately, InfoSec training is often not a major part of their employee induction programs — but it should be.
Even when organizations include InfoSec training in employee induction programs, the new employee InfoSec training session is often too short. It cannot cover all the key facets in sufficient depth to ensure employees gain the required level of understanding. Here are the five main reasons you should give InfoSec training adequate time during the induction of new staff.
1. Enterprise systems are still largely human dependent
Artificial intelligence and machine learning have been a major talking point in recent years. Much of the conversation has dwelt on the jobs that will be lost thanks to this next-level advancement in automation. Nevertheless, we are still a long way from systems running independently of human intervention becoming the norm.
Human-dependent technology will be with us for some time to come. That’s why technology controls alone aren’t sufficient to protect your organization’s data and systems. Human action still plays a big role.
For example, it’s important to ensure virus definitions on all of the organization’s computing devices are always up to date. However, you must combine this with explicitly warning employees not to download and open email attachments whose origin is unknown or cautioning them not to plug in personal flash drives to the network. New employee InfoSec training provides the perfect forum to do just that.
Despite your strong antivirus systems, it would take one employee’s indiscretion for new unknown malware to permeate your entire network.
2. Employees are a bigger threat to InfoSec than technological lapses
Every so often, a spectacular cybersecurity incident grabs international headlines. It could be a sophisticated hack that sees the theft of millions of confidential records over months or years or a massive DDoS attack that renders some of the most popular websites in the world inaccessible for hours.
Such incidents involve highly skilled individuals who can leverage their knowledge to carry out their nefarious schemes. Yet, the majority of security incidents are due to employee error. In fact, the two attacks we have cited as examples above can probably be traced to an employee’s deliberate or inadvertent action.
Like clicking on a link sent via email or sharing confidential data through a social engineering phone call. It is fundamental that you get employees to understand the information security risks they are daily exposed to and how their actions can lead to data loss.
3. It takes just one employee for everything to unravel
A chain is only as strong as its weakest link. The same applies to an organization’s information security program. Even with the most advanced technological controls combined with a disciplined and knowledgeable workforce, it only takes one employee’s mistake for everything to come crashing down.
If you are going to have a weakest link in the organization, chances are that they are going to be a new employee. This is what induction training programs should seek to prevent. New employees are unfamiliar with company policy and procedure as well as the risks such procedures seek to mitigate. They are more easy to mislead and more prone to error.
Robust new employee InfoSec training ensures that from the start, new workers understand why each of them has such a huge responsibility in protecting the company’s data.
If you are going to have a weakest link in the organization, chances are that they are going to be a new employee. This is what induction training programs should seek to prevent.
4. Government regulation may demand it
By now, it should be clear that InfoSec training and awareness for new hires is a good thing to do for the overall wellbeing of any organization. In addition to all the practical merits though, you may be legally obligated to provide awareness training for your staff.
Certain types of business must train their employees on InfoSec. These include financial services institutions, publicly traded businesses, health-care organizations, and all federal agencies. The required scope and frequency will vary. Business leaders must obtain legal counsel on what the curriculum should be.
A failure to provide new employee InfoSec training leaves the enterprise susceptible to regulatory censure, penalties, and lawsuits.
5. Protect your reputation
An information security breach has a direct cost impact. First, the potential exploitation of the lost information or compromised systems. Second, the expenditure required to fix the vulnerability to ensure a similar incident doesn’t occur in the future. But there’s a third cost component that is possibly much more detrimental to the business’ survival: reputational damage.
When customers share personal information with an organization such as Social Security numbers, credit card numbers, driver’s licenses, home addresses, and transaction histories, they do so with the understanding that such sensitive data will be protected from unauthorized access or use.
If such personally identifiable information falls in the wrong hands, it could exert enormous damage to the business’ reputation that would take plenty of money and time to recover from. In this regard, new employee InfoSec training is a preventative control that reduces your likelihood of ruining your company’s reputation via a cybersecurity incident.
An effective new employee InfoSec training program that ticks all the right boxes should have input from not just IT and security teams but also the compliance and legal departments. From the onset, businesses must make it clear to new hires that there will be consequences not just for the company as a whole but for them personally if they fail to adhere to InfoSec policy and procedure.
A single InfoSec training session is not enough
Of course, a single InfoSec training session isn’t sufficient for the employee’s entire tenure at the organization. All staff and not just new hires must undergo InfoSec training at least once a year. Businesses should combine the training with periodic informational bulletins distributed to staff via email that ensure InfoSec is always top of mind. Overall, a security-conscious workforce is an asset to the organization.
Featured image: Shutterstock / Pixabay