It seems like human nature that a person without mal-intent does not believe crime truly exists until it happens to them. Most organizations have now done a good job (and some an excellent job) of providing security awareness for their employees. As an assessor, what I find interesting is this new trend where employees understand security around their workplace, but when they walk out of your building, they forget to pay attention to what they do with their own information. Also, I still see some employees who don’t take security awareness seriously in the workplace.
There are a few things you can do to make your security awareness training more effective for both you and your employees, so that you can help them be more careful with the company’s data while also better protecting themselves.
1. How could a breach of data affect your employees’ paychecks?
Direct your employees down the path of thinking about how a breach at the company could affect them personally. As examples:
- What would a breach of company data mean to the company’s bottom line (e.g., affect reputation, company expenditures, profitability, repeat business, etc.)?
- How would the effect of the breach affect them personally (e.g., impact bonuses, raises, cause stock price to drop, loss of jobs, etc.?)
All you have to do is enter “cost of breach” into an Internet search engine such as Google or Bing, and you can find interesting analysis about how much a data breach can cost a company. I’ve seen numbers anywhere from $4 billion (study by CyberFactors) to TJX’s breach costing in excess of $256 million.
When your employees truly grasp how a breach can affect their paycheck or future compensation, I have found they take more to heart the knowledge you are providing, and they take a different level of ownership around protecting a company’s sensitive data—and their own.
2. How could personal data fall into the wrong hands?
Help employees use your security awareness training in their personal lives. Have your employees consider the following:
- When given a receipt, do they look at the receipt to make sure their entire credit card number isn’t printed on it?
- Is there a difference in using a credit card versus a debit card?
I know it must sound strange that some companies still give their customers a receipt with the entire credit card number printed on it. This happened to me just the other day. I went into a little shop for the first time and made a purchase. I looked at both the store’s receipt and the receipt they gave me, and this small vendor has never updated their store’s Point of Sale (POS) system. Had I been careless with that receipt, my credit card could easily have been stolen. I asked this store what they did with their copy of the receipt with my full credit card data, and I made a mental note to myself to always take cash – if I go back!
Another thing to consider is the type of card your employees use – and that your company accepts. I cannot tell you how many of your employees have used a debit card versus a credit card, and the debit card number was stolen. Because the debit card was used, these funds within their bank account were automatically withdrawn from their account, and they weren’t able to make their house payment or had bounced checks until they could prove to the bank the transactions were not theirs and they were returned these funds. Had they used a credit card and it had been breached, the employee simply would have to contact the credit card company to cancel the card, and the credit card company would credit the account for fraudulent charges.
3. How should personal card data be protected?
Handle your company’s customers’ card data as if it were their own.
For those who have dealt with credit card breaches, you know how expensive it is to your company, and you know how this affects the organization and its employees. Security awareness is a much less expensive measure for a company to take to help protect its data. Who knows – if your employees begin paying more attention to how their personal data is handled, you might find they are more apt to notice an area where you may have risk within your organization as well.
How have you been able to personalize the importance of security awareness? Has greater awareness helped identify other areas of risk?
*The 2013 Cost of Data Breach Study: Global Analysis, a benchmark research sponsored by Symantec and independently conducted by Ponemon Institute LLC published in May, 2013, (https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf) states the following: When hackers stole millions of names and email addresses from Epsilon, a study by CyberFactors, a cyber risk analytics company, estimated that breach could cost between $225 million and $4 billion, depending on what happened with the stolen data (http://www.csmonitor.com/Business/2011/0504/Data-theft-Top-5-most-expensive-data-breaches/1.-tie-Epsilon-to-be-determined). The Ponemon studies, however, estimate a lower cost, at least $100 million.