Corporate data breaches are a big deal, and as data grows more valuable and regulations become stricter, it’s increasingly important to have the right mechanisms in place to prevent them. IBM’s 2020 Cost of a Data Breach report found that the average cost of a breach in the U.S. was more than $8 million. Even during a global pandemic, scammers and cybercriminals continue to orchestrate business email compromise scams, spear phishing schemes and other social engineering attacks.
Overcoming this challenge requires a balanced approach that uses effective training and appropriate technology. Here are five steps businesses can take to improve their breach avoidance tactics:
- Train employees to recognize common mistakes and scam tactics.
Training employees to recognize common scam tactics can go a long way toward preventing breaches. If a superior asks you to sign off on an invoice you don’t recognize, double-check that the email comes from his actual email address. If they’re asking to buy gift cards or perform some other unusual action, double-check with them first. On a similar note, train employees to take the time to check links before they click. Simple steps like these will help employees avoid some of the most common pitfalls. - Ensure that employees know how and why to use their security tools.
Just because an organization has certain security tools available doesn’t mean they’re actually used properly. Are employees actually using two-factor authentication? Are their filesharing passwords strong enough? Are they logging into their VPNs when appropriate, or using secure Wi-Fi networks when working remotely? If the answer to these and other questions is “no,” the organization can be at risk. Training employees not just on the “how” of security tools but also the “why” can go a long way toward generating buy-in and ensuring that they use the tools effectively. - Create a culture of accountability, rather than blame.
Mistakes are such a common cause of breaches because they are generally difficult to detect. Companies will only discover mistakes if the employee owns up to the error—which many are understandably reluctant to do. An employee who fears for their job will generally sweep it under the rug, hoping nobody notices. It’s a company culture challenge, rather than a technological one, and requires organizations to examine their responses to mistakes. Businesses willing to work with employees to help prevent similar incidents in the future will likely have more success stopping breaches than those that impose unreasonably draconian punishments. - Understand how today’s technology can help—because training has a ceiling.
Even the most well-trained employees will inevitably make mistakes, so it’s important to recognize the limits of training. Fortunately, there are new and innovative security tools that offer a digital backstop. Advances in machine learning have developed tools that identify anomalous behavior, raising red flags if an email address or attachment doesn’t look right. Encryption tools can now detect whether the company uses the correct level of encryption, while verifying the identity of both sender and recipient. Employees need training, but they should also know that there’s a safety net waiting below them to help. - Help employees help themselves.
What do building a culture of accountability and identifying new security tools have in common? They help employees take control of their own actions. Companies can raise alerts, letting an employee know that they may be responding to a scam email, giving the employee the opportunity to self-correct, stopping potentially damaging incident before it happens. This approach helps prevent costly breaches by empowering the employee to recognize and correct their own mistakes, which helps build a culture of accountability and support.
The marriage of training and technology puts the power to address and learn from mistakes in the hands of employers and their employees, helping them better understand the ease with which breaches can take place and the importance of stopping them. Whether breaches are caused by careless mistakes or reckless actions, implementing complementary training and technology can stop potential breaches in their tracks.
Tony Pepper, CEO, Egress