Training Insiders About Cybersecurity: The D.N.C. Case Study
Data security is ever changing, both from a compliance and a technological perspective. Understanding cybersecurity updates is critical to keeping on top of them, especially since it is the top priority of companies.
Once again, another report indicates that most data breaches are caused not by by malicious hackers but rather by simple, human error. The Society of Corporate Compliance and Ethics (SCCE) released survey results from compliance professionals in Data Breach Incidents, Causes, and Response “to better understand the impact and frequency of data breaches.” While 17% of compliance professionals (up from 11% in 2012) reported a hacker was responsible for a data breach in their companies, 20% reported that a lost device (i.e. laptop) or lost paper files (45%) were the cause of their organization’s data breach. This follows a Ponemon Institute report that found insider negligence to be the leading cause of data theft or loss.
There’s good news, however. Data breaches are down. Thirty-two percent of respondents “reported no incidents, which is 6 percentage points less than the current survey.” Additionally, even though insiders are the leading cause of data breaches, they are also the number one source of reporting an incident. “When asked how was the last incident discovered, survey respondents reported that audits discovered just 5%, and IT reported just 10%. By contrast, employees other than IT reported 46%.” Data security training and education for any insider with access to sensitive data- be it employees, contractors, or third parties- is the most important safeguard companies can take.
To illustrate the importance of training all insiders, the security hacks on the Democratic National Committee (D.N.C.) in 2016 provides a good example. While it’s true that D.N.C. leadership acted quickly when it found out about the hacks to its system in April 2016, it should have known much sooner. According to the New York Times, the F.B.I. called the D.N.C. tech help desk in September 2015 after it confirmed that hackers compromised at least one D.N.C. computer system. It called just one guy, a tech-support contractor who was “no expert in cyberattacks,” who nonetheless did a search of the D.N.C. system and found nothing. Neither the contractor nor the F.B.I. contacted higher-ups at the D.N.C, despite multiple unreturned phone calls from the F.B.I.
To be fair, the contractor did not have reason to believe the D.N.C. was hacked and thought the phone calls were fake. Research shows that gullibility and carelessness, two factors not present in the contractor’s reactions to the D.N.C. breach, are the main factors driving insiders who fall prey to data security scams. Still, the contractor’s reaction is something you would expect from an untrained insider; through better internal cybersecurity training or education, knowledgeable insiders can stop such breaches sooner.
It is still believed that the initial breach to the D.N.C. system was caused by a phishing email mistakenly engaged by an insider. In addition to phishing emails, insider negligence also allows ransomware attacks– reported by PC World as a “top threat” to enterprises. For more information about how to prevent insider negligence, check out LawRoom’s white paper Investing in the Human Firewall: Data Security Training for Employees.
LawRoom (powered by EverFi) delivers online compliance courses to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.