Last year, the average cost of a company data breach reached $3.8 million. In addition, the costs of data breaches are increasing each year, with 2014's average cost up 15% from the previous year. Data clearly shows the threat of a data breach is a serious (and growing) problem for organizations. So how can we guard against them?
The Cause of Company Data Breaches
It's a fairly common assumption that most company data breaches can be attributed to problems with technology and vulnerabilities in software. However, it’s not the technology causing a data breach, but the people using this technology. These users lack an understanding of security awareness and engage with software and technology in an insecure way, allowing hackers to successfully compromise secure systems and retrieve sensitive information.
Research shows human error is responsible for 52% of all security breaches, and 91% of successful data breaches rely on employees and customers falling victim to spear phishing and social engineering attacks.
In other words, insecure technology isn't your biggest problem. With 9 out of 10 company data breaches facilitated by employees and users taking insecure actions, it's people who pose the biggest security risk.
Reducing the Risk of Data Breaches
To some extent, technology solutions like anti-virus software, anti-malware software, firewalls, and proxy servers can help improve security - but without addressing the human risk to security, your organization will continue struggling to reduce the likelihood of a serious company data breach.
To take action on the cause of 91% of data breaches, start at the heart of the problem: employees. You need to improve the way employees and users engage with secure systems and secure information.
So how can we achieve that?1) Roll-Out Security Awareness Training
As the costs of a successful data breach continue to increase, organizations must pay closer attention to security awareness in the workplace. Still, 46% of organizations offer no form of security awareness training.
From the C-suite to junior employees, data breaches can be triggered by anyone within your company. To protect against data breaches, your organization needs to roll-out a mandated security awareness training program: across the entire organization.2) Tackle the 8 Principles of Security Awareness
Data breaches can be triggered in a number of different ways, including the most popular malware, device theft, and phishing. A well-rounded security awareness program will tackle each of these potential issues, offer employees and users advice on the characteristics of each attack vector, and the best practices that can help avoid them. The 8 Principles of Security Awareness include:
- Malware awareness
- Social engineering
- Password security
- Email security
- Physical security
- Mobile device security
- Travel security
- Phishing awareness
If you're struggling to structure your security awareness training, it can be helpful to adopt the SOCIAL framework; offering six essential principles of security awareness that can be taught quickly and easily to your organization’s entire workforce.
- Security-Minded: It’s essential to bring security to the forefront of your employees’ consciousness, and ensure individual employees understand the role they play in securing their organization’s physical and data assets.
- Organized: Set security guidelines within your organization for things such as password creation, securing company data, and mobile devices.
- Conscientious: Many attack attempts can be avoided if employees simply know what to look for when faced with common malicious techniques.
- Inquisitive: Don’t wait for an attack to happen before you act. Employees should always be on the lookout for potential threats.
- Active: Even with the best preventive measures in place, a security breach can still happen. An organization should have a plan to immediate act on should such an event occur.
- Level-Headed: Remain confident in your plan and stay calm should a breach occur. Understand how the problem occurred, who you need to inform, and what you can do to remediate the threat.
These three steps are a great start for your company to become better aware of security threats and how to react to them.