creative soul - Fotolia

Manage Learn to apply best practices and optimize your operations.

Why do enterprises need employee security awareness training?

With human error as the leading cause of breaches and security incidents within the enterprise, organizations should offer employees mandatory security awareness training with regular refreshers.

Believe it or not, most studies show that employee human error is by far the leading cause of malware infestations, data breaches and other security incidents within the enterprise. While these are referred to as insider threats in the IT security world, that name is somewhat misleading. After all, we're talking about your employees. Most of the time, no malicious intent is actually behind an insider threat incident. Instead, the threat is simply an employee's lack of understanding regarding how to operate safely within the corporate network. To address the problem, offering employees security awareness training on data security threats and how to avoid them will go a long way toward better securing your IT infrastructure.

If your IT security department is spending thousands or millions of dollars on the latest high-tech firewalls, malware prevention software and data loss mechanisms but doesn't properly train employees on security threats, you're probably throwing your money away.

In most businesses, trusted employees are granted a great deal of privileged access to sensitive information. Despite all of the expensive security tools you may have implemented to protect data from being harmed or escaping, it remains easy for poorly informed employees to inadvertently bypass security tools without being aware they're doing something wrong.

The key to proper security awareness training is to provide education early and often.

The key to proper security awareness training is to provide education early and often. Many companies require new hires to go through some form of security awareness training during their new employee orientation process. While this is a good first step, it doesn't go far enough. For starters, new employees are likely to be overwhelmed with all the new people and processes thrown at them. The likelihood a new employee will retain even a portion of what was presented with security awareness training is low. One best practice is to schedule a mandatory refresher course within 30 days of an employee's hiring date to better solidify the initial training program.

The other misstep that companies take when instituting security awareness training is that they fail to provide regular and mandatory refresher courses that cover new security procedures, standards and threats. Mass emails or mentions on the corporate intranet don't cut it. Despite the time, effort and cost required to provide continuous retraining on data security threats, the return on this security investment can be enormous.

This was last published in April 2019

Dig Deeper on Security awareness training and insider threats

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Have your organization's security awareness efforts paid off in terms of decreasing security incidents based on human error?
I am of the opinion that security awareness training cannot reduce your chances of getting breached. Even with an excellent training program with up-to-date relevant materials and executed regularly with automated systems to check if users still click on phishing emails, etc, it just takes 1 careless employee out of thousands to cause a breach that can spread throughout the whole organization! So it is not a percentage game that that 1 employee represents a very small percentage of the entire staff population. A single breach can have a devastating effect. When that happens, would all the cost, effort and time invested in security awareness training worth it? We need a system that is more dummy-proof so that even if a dummy is well trained in security awareness, his/her mistake will not cause a breach. I believe implementing an Internet Isolation system for all web and email access would be more effective in preventing a breach, even when an employee makes a mistake and click on a malicious URL or open a downloaded email attachment file. With Isolation System, it acts as a proxy for the user in all web browsing and email activities in a disposable container, outside of the user PC, so that if any malicious happen, it happens inside this container, which is deleted with every session, isolating the PC from any malicious activity or malware infection. I would like to hear what the majority of you readers think.