Educate your employees about information security or all the security tokens in the world won’t save you.
A company may have a decent size security budget and spend it effectively on firewalls and other protection devices but if you fail to educate your end-users all that investment can be for nothing. Hackers, spammers and other evil doers regularly target end-users because it is often the easiest method of attack and is extremely effective. Targeted spam emails and malicious web sites are two of the most common threats but it is important to implement a general awareness campaign that covers a wide range of information security issues from what makes a good password to the importance of physical security. Here are some of the important factors to consider when implementing an information security awareness program.
Be Consistent – Develop a weekly or monthly routine and stick to it. Send out the email on a consistent day so the user will come to expect it and perhaps even look forward to it if you follow the other recommended steps below. Always send it from the same account to minimize the likelihood for confusion which could assist targeted spam attempts.
Keep It Simple – Do not use overly technical language that will confuse or turn off users. Speak in the communications like you would talk in a conversation.
Do I not entertain you? – Try to write in an interesting style and even use humor to keep your users entertained. Entertaining material is more likely to be read and absorbed then stuff that would put an insomniac to sleep.
Provide Examples – Many people learn best from examples and there are plenty of those readily available. Find a recent incident that demonstrates the point you are trying to make and it will make it more real and less theoretical. People listen more when they no others have fallen for a trick and are more likely to absorb the information.
Be relevant – Providing examples that they can use at both work and home is a great way to keep people interested. Examples include safe Internet surfing, avoiding spam emails, and the importance of having up to date anti-virus signature files.
Consider Posters – Emails are great but they are often times easily ignored. Utilizing posters in high traffic areas in addition to email is a great way to mix it up and capture the attention of people who otherwise might not care.
Make it a job requirement – Security is only as strong as the weakest link. It is everyone’s responsibility to follow good information security practices and keep the company secure.
Thursday, March 24, 2011
Wednesday, March 9, 2011
Security Awareness and The Ponemon Institute Study
Security awareness once again appears to be a solution to data breaches. With negligence being the leading cause for data breaches, it only stands to reason that a robust and effective information security awareness program will go a long way towards the reduction and cost of data breaches. This why it is paramount for senior management to institute and maintain such a program. It should not be a cookie-cutter program given to employees just to meet legal and regulatory requirements. It should be relevant to the industry and company along with security culture changing to the employee.
The average cost of a data breach increased 5 percent in 2010 to $214 per compromised record, according to the sixth annual U.S. Cost of a Data Breach study by the Ponemon Institute.
Indirect breach costs, such as the loss of customers, outweigh direct costs by nearly two to one, according to the study. But direct costs rose five percentage points to account for 34 percent of total costs in 2010, primarily because of increased legal defense expenses.
"The sharp growth in direct costs and slight but persistent decrease in indirect costs over the past three years may indicate that companies are taking their response to data breaches more seriously than ever," according the report's executive summary.
Breach Causes
Among the reports other key findings:
• The leading cause of breaches is negligence, accounting for 41 percent, up from 40 percent in 2009. The cost of these breaches averaged $196 per record, up 27 percent from 2009.
• Of the various causes of data breaches, malicious or criminal attacks increased the most in 2010, now accounting for 31 percent of breaches.
• For the second straight year, abnormal churn or turnover of customers after data breaches appears to be the dominant factor in total data breach cost, the study shows. The industries with the highest 2010 churn rates were pharmaceuticals and healthcare.
• Protecting against viruses, malware and spyware infection was the No. 1 data protection priority for the studied companies in 2010.
• Training and awareness programs remained the most popular post-breach remedies in 2010, mentioned by 63 percent. Expanded use of encryption was the second most popular, at 61 percent.
The average cost of a data breach increased 5 percent in 2010 to $214 per compromised record, according to the sixth annual U.S. Cost of a Data Breach study by the Ponemon Institute.
Indirect breach costs, such as the loss of customers, outweigh direct costs by nearly two to one, according to the study. But direct costs rose five percentage points to account for 34 percent of total costs in 2010, primarily because of increased legal defense expenses.
"The sharp growth in direct costs and slight but persistent decrease in indirect costs over the past three years may indicate that companies are taking their response to data breaches more seriously than ever," according the report's executive summary.
Breach Causes
Among the reports other key findings:
• The leading cause of breaches is negligence, accounting for 41 percent, up from 40 percent in 2009. The cost of these breaches averaged $196 per record, up 27 percent from 2009.
• Of the various causes of data breaches, malicious or criminal attacks increased the most in 2010, now accounting for 31 percent of breaches.
• For the second straight year, abnormal churn or turnover of customers after data breaches appears to be the dominant factor in total data breach cost, the study shows. The industries with the highest 2010 churn rates were pharmaceuticals and healthcare.
• Protecting against viruses, malware and spyware infection was the No. 1 data protection priority for the studied companies in 2010.
• Training and awareness programs remained the most popular post-breach remedies in 2010, mentioned by 63 percent. Expanded use of encryption was the second most popular, at 61 percent.
Subscribe to:
Comments (Atom)