There are two schools of thought on IT security training. There are those that believe that training employees on IT security risks and protocols is a worthwhile expenditure and there are those who think it’s a waste of time and dollars. Most organizations, however, fall somewhere in the middle – the question isn’t a matter of training or no training but rather how much and what kind of training is necessary.
In some industries – like health care and financial services – training requirements are subject to regulatory compliance mandates. For those industries exempt from these requirements, it’s up to the organization to determine what level and kind of training is appropriate and how much and where they’re willing to spend.
While users aren’t security experts and can’t reasonably be expected to keep ahead of complex potential threats, it’s often the simple things that get lost in the security shuffle that cause the most damage.
For instance, a number of recent wide-spread data breaches started with a spear-phishing email ruse. Employees receive an email at work and unwittingly click on links and attachments which in turn expose the entire organization to exfiltration. It can happen in the blink of an eye, and the effects are devastating.
And it’s not just the organization that’s vulnerable to the fall-out associated with email security breaches – the risk also extends to customers and their email contacts.
When employees send out emails containing sensitive information – particularly attachments where confidential personal information appears – customers are put at risk for phishing schemes and identity theft. And, once hackers have successfully penetrated an individual’s email account, they can sift through archived emails containing sensitive information and attachments to capture information to perpetrate fraud. Hackers can also swipe the email user’s contact address book and broaden the phishing expedition to friends and family.
The reason that email security awareness is so important is that employees across industries and organizations individually send and receive hundreds of emails per day. And, with the pressure to work quickly and provide customers with the service levels they expect, it’s tempting to cut corners with respect to email security – assuming of course that security protocols and tools are actually there in the first place.
Because the opportunity for breach is so high, it’s critically important to systemize email security. It’s not enough to merely educate employees on risks and preventative measures – it’s also critically important to implement email security solutions to ensure that employees are successful in this endeavor.
The reality is that employees will circumvent protocols that aren’t simple and easy to implement. And, if a customer needs confidential information quickly, it’s very tempting to do what it takes to get them what they want when they want it. Most email security solutions are cumbersome and difficult to use, and some require that the sender and recipient have the same software installed on their computers to access encrypted communication and attachments. Cloud-based security document delivery solutions, by contrast, segregate confidential attachments from the body of the email and provide password protection for secure access – there’s nothing to download. Because these types of solutions are simple and easy to use, employees are less tempted to buck protocol.
The key is to build in safeguards and not only educate employees around email security risks and best practices but also provide them with tools that are accessible, efficient, and understandable to ensure compliance.