When it comes to security, employee training is critical. A lack of training can lead staff to follow outdated or improper data management and information security protocols. As a result, human error-related data breaches can occur, which could ultimately have a big impact on a company’s bottom line and reputation.
Almost half of Canadian large business C-suite executives and small business owners recognize that human error and lack of employee knowledge concerning information security protocols are the two biggest future threats to their company (41 per cent and 47 per cent respectively), according to a 2016 Shred-it Security Tracker survey by Ipsos Reid.
Human error-related breaches can be easily mitigated when employers provide employees with the right tools to separate fact from fiction. One of the best ways to educate employees on how to reduce risk is to implement regular and comprehensive training programs on the best practices for responsibly managing, storing and destroying physical and digital data.
Unfortunately, employers are not prioritizing employee training on company information security procedures and industry legal requirements — only 31 per cent of C-suite respondents said they train employees more than once a year on how to remain compliant with their industry’s legal requirements for the storage and destruction of confidential information, according to the survey.
Results are similar on the small business front, with 39 per cent of owners reporting they never train employees on legal requirements or company information security procedures, and only 31 per cent conduct training on an ad-hoc or as-needed basis.
With limited training and education on how to safely manage, store and destroy confidential information, employees may be unaware of their responsibilities or how their actions can open their business, personnel or customers to risk.
Employees will be forced to decide as to what is and isn’t considered confidential. If they make an error in judgment, an organization can unintentionally be exposed to serious risks such as theft, fraud, data loss and reputational damage.
Just as human resources management takes a careful approach when it comes to employee training on office devices, software applications and workplace code of conduct, so too should information security training be integrated as another formal exercise for all employees to receive. Regular training throughout the year provides employees with the right mix of knowledge and skills to protect their employer from information security issues and helps mitigate the risk of data breaches caused by human error or lack of knowledge of security practices.
Frequent training can also serve as an ongoing approach for HR to help keep risks top-of-mind among employees and ensure the information security policies and procedures are being followed.
With this said, research shows there is certainly room for improvement when it comes to ensuring all employees follow procedures. For example, only about half of the C-suite (57 per cent) and less than half (43 per cent) of small business owners have a protocol for storing and disposing of confidential paper data that is strictly adhered to by all employees. And 61 per cent of executives and 40 per cent of small business owners have a protocol addressing electronic devices that is strictly adhered to by all employees.
Integrating information security training among the various training programs employees receive through human resources helps the workforce become more aware of the risks associated with mishandling confidential information and ultimately protects the company against damaging data breaches.
Myths and strategies
An important first step is to set the record straight on common information security myths to ensure all employees accurately understand how to manage and identify security risks. Human resources management in both large and small businesses should consider the following information security myths and strategies to help business leaders protect their customers, reputation and employees.
Myth 1: Erasing data from a hard drive completely removes the information.
Fact: Erasing, reformatting and wiping hard drives does not always ensure the data stored on it is inaccessible, and employees can accidentally expose confidential information when old hard drives are sent to be recycled, reused or resold. A best practice in proper disposal is for organizations to require obsolete hard drives be physically destroyed before disposal. Destroying the hard drive before the device is resold, recycled or disposed of ensures information is unrecoverable and provides peace of mind the confidential information is safeguarded.
Myth 2: Disposing of confidential documents in the recycling bin is better for the environment and safely discards company information, as long as the paper is torn into pieces.
Fact: Recycling documents is good for the environment, and protecting the confidentiality of company records is just as important. However, recycling bins are unsecure and, therefore, confidential documents, regardless of whether they are torn in pieces or not, can be easily removed and compromised. To protect company information and reduce the risk of a data breach, organizations should have locked consoles available to all employees and require that all documents be shredded.
Also, consider implementing a “shred-it-all” policy. This eliminates the guesswork of what is and isn’t confidential while ensuring employees don’t accidentally leave confidential information in an unsecure bin. Organizations can maintain their commitment to the environment while still protecting information as all of the shredded paper is recycled. Overall, the policy leaves little to be decided around the type of information that should or should not be deposited in recycling bins, and is one of the easiest ways to avoid the mishandling of confidential documents and files.
Myth 3: People can confidentially enter personal information on a website if they recognize the source or the sender that sent the link.
Fact: Identity thieves and fraudsters often capitalize on employee trust by impersonating government agencies or banks to request private account information or credentials. These scam emails are often designed to look real and may insist that personal or corporate information is needed. They may also urge an employee to visit a fake website where they are then asked to verify their identity by entering confidential information. Business or personal information should never be entered into a link from an email, even if the site appears credible. Experts recommend typing the website in directly or navigating to it via bookmarks.
Myth 4: People can use their own smartphone or another device at work, as long as it is password-protected.
Fact: With a growing number of employees working in mobile work environments, it has become common practice for employees to use their own devices for work. While this allows for greater employee flexibility, personal devices can create a number of security-related issues. Even if they are password-protected, all devices should be encrypted to protect the confidential information stored on them. Bring your own device (BYOD) security programs should also be in place to protect the pathway from the personal device to corporate systems.
Myth 5: Keeping material at a desk at work is safe.
Fact: Work stations pose a threat because loose paperwork on desktops can be vulnerable to snooping and data theft. Organizations should implement a “clean desk” policy that encourages employees to clear their desks and lock documents in a filing cabinet or storage unit when they step away from their workstation for an extended period and at the end of each work day. This includes documents, files, notes, business cards and removable digital media such as memory sticks.
Myth 6: Messages on smart phones or laptops are private.
Fact: The visual hacking of information on mobile devices can occur almost anywhere, including most public places such as coffee shops, airport lounges, restaurants, as well as during the commute from work to home or even in the office. Organizations should provide employees with privacy screens for laptops, tablets and other mobile devices to keep confidential information safe from prying eyes.
Myth 7: Public Wi-Fi is safe if it is password-protected.
Fact: Even when password-protected, shared or public Internet connections can still expose valuable information to data thieves and hackers. Organizations should establish policies that encourage employees to connect only to trusted networks for work purposes.
By failing to ensure employees understand and follow information security policies, businesses are putting their organization and reputations at risk and potentially exposing valuable customer, employee and business data. But when data protection is prioritized and done well, it encourages more disciplined operations, increased customer and stakeholder trust, and minimizes the risk of penalties, fines or damages to reputation caused by poor information security practices.
HR has an important role to play to ensure information security training for employees is high on management’s agenda. Information security must be seen as a shared responsibility among all employees and HR management must work with senior management to ensure they are banishing information security bad habits through consistent employee training and education repeated regularly throughout the year.
Andrew Lenardon is global director at Shred-it International in Toronto.
© Copyright Canadian HR Reporter, Thomson Reuters Canada Limited. All rights reserved.