A couple of years ago, The Ponemon Institute’s survey of 1000 companies found that roughly 70 percent of all reported security breaches were due to “insiders” or the “insider threat” to some of us. Of course this survey did not surprise professionals in the information security business as we have been investigating these breaches for years. However, what should surprise you is the lack of a strong correlation between the internal threat and an institution’s security training and awareness program or lack thereof. Simply put, if 70% of the problem is attributed to people, why do our budgets show 80% of the dollars, on average, going towards technology only solutions?
In my opinion, there are only three types of internal breaches, the first type is a breach that would occur at the hand of an unknowing resource, the second kind of breach would be predicated on a modicum of knowledge and finally you have the insider with the knowledge, skills and intent to extract information and/or cause harm to the business.
The appropriate use of a training and awareness program can protect a business in several ways if we consider the different types of insiders previously mentioned. First, for the unknowing resource a training and awareness program raises their level of awareness to the point where they are no longer ignorant of the organizational risks which they can create.
Second, for the insider with minimal knowledge of the impact of their actions, their evolution moves from thinking it might cause a problem to knowing that they risk severely impacting their organization. This insider type is the one who might consider sending customer information to their yahoo account so that they can work from home without carrying their laptop.
Finally, we have the type of insider who poses a real threat to your organization. This insider will do anything and everything to cover their tracks including feigning ignorance when and if they are caught. But wait, that same person was subjected to your training program and they signed the acknowledgment at the end. By having this nefarious insider participate in your training and awareness program, you shift some of the responsibility to the individual and the organization shows that it has taken the steps necessary to protect corporate assets; of course you should have a strong control environment as well.
With all of the aforementioned benefits, don’t you think it’s time that you take a second look at your training and awareness program? Of course there are several things to consider when looking at your program, for example does the content include basic security knowledge that people need to be reminded about annually, such as password strength and selection criteria? Also, does the content address new and evolving risks such as the advent of social networking websites (e.g. Facebook, MySpace) and how information found on those sites could be used against an organization?
I invite the readers of this blog to tell us how they keep their training and awareness content relevant and dynamic, of course if you disagree with my perspective I would love to hear your opinion as well. At the minimum, think of this blog the next time you have to sit through a static delivery of content with an acknowledgement at the end, if you’re lucky you might even get quizzed on what you read.