Eighty-five percent of what, you ask? Studies show that 85% of data breaches are related to human error.
I know you’ll see varying studies that show that only 25% of data breaches are due to human error, however, that 25% is only showing the unintentional release of data through mistakes like inadvertent sharing, improper disposal, mis-addressed correspondence, etc. When you factor in other human-controllable errors like misconfigured resources (servers, systems, etc.) and falling for phishing emails, that number is approaching that 85% mark.
How do we reduce that percentage? One way is training. And let's be clear, I don't mean more training, I mean better training. Make sure your training has a focus on content and awareness, not just generic information security. Speaking abstractly about information security probably won’t hit home with most people.
The training should be relatable to your audience. Everyone probably has direct or indirect experiences with things like identity theft and loss of financial information. Give people the training in such a way that they have "ah ha moments” and can apply the lessons they learned to their own day-to-day lives.
Make sure that there is understanding and comprehension. This should not be another go-through-the-motions training exercise to meet an audit check box.
Deliver your training through multiple channels so that the content can be absorbed easily by each person, in the way that they learn best.
I was recently giving an on-site training presentation about everybody’s favorite topic, the PCI DSS. I could tell that many people that received the training were engaged and interested, but some needed additional nudging. As we were chatting later about the importance of checking credit card terminals for tampering and substitution, I displayed a few videos of criminals installing skimmers on credit card terminals at convenience stores. That video changed the user’s “yeah, yeah, infosec, got it” look to a “you sir, have my undivided attention” look. Our continued discussion included how these techniques could be used by criminals at ATMs, automated fuel dispensers, etc. It was relatable and topical, but most importantly, the “ah ha moment” had occurred.
Let’s reduce the percentage of breaches due to human error. Let’s help everyone have their own “ah ha moments.”