The biggest sources for data infringements and hazards to organisations are the lack of internal security awareness and human mistakes.
Yet another study conducted by Security Tracker revealed that over 75% of small and medium businesses organise data security training and workshops on document protection only once a year, and in some cases lesser than that. The survey also revealed that an increasing number of organisations are failing to prioritise data security training to employees to prevent fraud and hacking. And this is no longer just a small and medium business issue: more than half of the participants in the study, belonging to large organisations also reported that data security training for employees was conducted less than once a year.
Almost every technology expert is of the opinion that employees tend to forget over 90% of instructional guidance within a week, which makes the idea of training the staff less than once a year a woefully lamentable practice for effective security awareness.
Some best practice ideas that can be employed in a security program include:
- Creating awareness before initiating training – When starting with training activities for employees, it can be tempting to head straight towards training activities before implementing a security-training programme. However, it is important to realise that employees or staff must be adequately prepared in advance before initiating training. A key result of raising awareness about data security is a more committed employee who will be willing to accommodate and conform to the strategies imparted during training.
- Incorporate data security training within the setting of across-the-board employee education endeavours. Integrating data security training into an organisation’s prevailing staff education programme sees to it that instruction is assessed and reviewed from time to time and that programme validity is regularly supervised.
- Integrate data security contents in all staff communications avenues. To see to it that confidentiality and protection is maintained throughout, it is important to participate in continuous discussions with staff members regarding data security through bulletins, emails, login messages, and other internal routes.
- Create role-established training classes. Every employee requires training, but not every employee requires the same kind of training. Training must be customised to depict a user’s job duties, the amount of information addressed, and the vulnerability of the information that an employee can access. A productive training programme is one that provides fundamental content to all employees as well as customised components for various staff occupation classifications, strata, and obligations. The right form of role-based training comprises activities that test the staff to consider how they might address settings and circumstances that are likely to emerge in their existing situations.
Information security best practices must be a part of every employee’s everyday function and obligations and this can only happen when the management sets guidelines on ways to implement it. A multipronged strategy could help in launching a comprehensive training programme. These could include:
- Dedicate to a security culture: A dedication towards information security must be hierarchical in order for staff to follow suit. If employees observe their supervisors and managers behaving in a manner that subverts data security protocols and processes, they are not likely to take data security guidelines seriously either. Perhaps the management could request employees to take a pledge of making their workplace a more secure environment. The pledge could be displayed in various locations across the office. To motivate staff from all departments, certain employees could be appointed to take part in a committee focussed on improving data security practices.
- Reiteration and frequency is essential: Learning must take place at periodic intervals throughout the year, including varied modules on organisational data security guidelines. Perhaps an approach involving numerous channels including a mix of personal and digital instructional guidelines can help ensure the staff becomes aware of how to deal with and address sensitive data.
- Implant it: Ensure that data security practices become a seamless part of daily activities. Some additional factors that can further help in safeguarding information would be to implement a shredding policy where all documents that are no longer needed must be destroyed, and a ‘cleaning of the desk’ policy that ensures all staff members clear their workstations and lock documents securely at the end of their working hours. This could help in minimising data breach incidents.
But implementing policies such as these and ensuring they become common practice, must be set as an example. For physical and digital data to be managed, stored and destroyed effectively, employees must be trained adequately and periodically. Lack of instructional training can result in unintentional exposure of documents and a serious risk to organisational reputation causing income and data loss.